Keycloak Admin REST API returns 403 for one realm but works for another using the same master admin token
Hi everyone,
I am stuck with a Keycloak Admin REST API permission issue.
I have one Keycloak server with multiple realms:
local
dev
test
staging
I have an admin user in the master realm. My application logs in through admin-cli using this master admin user, gets an access token, and then calls Admin REST API endpoints to query users from different realms.
For example:
GET /admin/realms/staging/users
GET /admin/realms/test/users
The strange part is:
/admin/realms/staging/users works
/admin/realms/test/users returns 403 Forbidden
Both requests are made using the same master realm admin user and the same admin-cli token flow.
I have already checked the role mappings in the Keycloak Admin Console. For the master admin user, the relevant roles for the test realm appear to be assigned, including:
test-realm → query-users
test-realm → view-users
test-realm → view-realm
test-realm → manage-users
The equivalent roles for staging are also assigned, and staging works correctly.
I also decoded the access token. The decoded token looks the same when used for both staging and test, which makes sense because it is the same master realm admin user and the same login flow. The token issuer is from the master realm, and the authorized party is admin-cli.
However, when calling the users endpoint, only the test realm fails with 403 Forbidden.
I also checked the UI for fine-grained admin permissions, but in my Keycloak Admin Console I do not see an “Admin Permissions” or “Permissions” section under Realm Settings or under the realm-management client. So I am not sure if fine-grained admin permissions are enabled or relevant in this setup.
What I have verified so far:
1. The realm ID is test, and the API URL uses /admin/realms/test/users.
2. The same admin user and same token flow works for staging.
3. The master admin user appears to have test-realm query-users, view-users, view-realm, and manage-users roles assigned.
4. The equivalent staging-realm roles are assigned, and staging works correctly.
5. test still returns 403 Forbidden.
6. I cannot find any fine-grained admin permissions UI in this Keycloak console.
7. I have compared the decoded tokens used for staging and test, and they appear to be the same.
My question is:
Why would the same master realm admin token be allowed to query users in staging, but return 403 Forbidden for test, even though the corresponding test-realm roles appear to be assigned to the same master admin user?