Service Account /realms/{realm}/account Access

[Joao Lourenco]

Hi all,

I have a use case, where i need a Service Account to update it's own User Attributes. The client to which this Service Account belongs is created using the DCR flow, using the default provider, with Client Authentication and Service Accounts enabled.

I have a custom scope with custom mappers for user attributes, where some are hardcoded, and some are dynamic.

As far as i have tested, when i authenticate to this client with the client credentials flow, i can't seem to invoke the /realm/{realm}/account endpoint with the access code granted by keycloak, getting a 401 Unauthorized.

I have confirmed that this service account has the "view-profile" and "manage-account" roles that belong to the "account" client.

I have tried using the following mappers, which don't seem to have any effect:

• client roles
• realm roles
• audience resolve
• Audience - Mapping the account and manage-account client in the "aud" claim in access token. I don't really know if Keycloak validates the "aud" claim, but i assume so.
  

I have confirmed that these mappers are included in the access token.

So are Service Accounts purposedly unable to access the account interface/endpoints?

Am i trying to achieve something that isn't suposed to be done with Keycloak?

Thank You for Your help