Keycloak REST API 403 forbidden

Question

I am trying to delete user session using keycloak REST API, But getting the 403 forbidden Http status code. I am passing the token and cookie in to the header, please let me know if I missing something.

static void logOut(String userId,KeycloakSecurityContext session){

        userId = "a12c13b7-fa2e-412f-ac8e-376fdca16a83";

        String url = "http://localhost:8081/auth/admin/realms/TestRealm/users/a12c13b7-fa2e-412f-ac8e-376fdca16a83/logout";
        HttpClient httpclient = HttpClients.createDefault();
        HttpPost httppost = new HttpPost(url);

        HttpResponse response;
        try {

            httppost.addHeader("Accept", "application/json");
            httppost.addHeader("Content-Type","application/json");
            httppost.addHeader("Cookie", "JSESSIONID=CABD8A135C74864F0961FA629D6D489B");
            httppost.addHeader("Authorization", "Bearer "+session.getTokenString());


            response = httpclient.execute(httppost);
            HttpEntity entity = response.getEntity();

            System.out.println("entity :"+response.getStatusLine());

            if (entity != null) {
                String responseString = EntityUtils.toString(entity, "UTF-8");
                System.out.println("body ....."+responseString);
            }
        } catch (ClientProtocolException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

    }

subrob sugrobych subrob sugrobych · Accepted Answer · 2017-08-15T15:23:15

the user you use to access according functions needs according rights on your realm.

For example my 'admin' user needed a CLIENT ROLE "view-users" of CLIENT "realm-management" to be able to get information about users. In your case, when you need to delete a user, you may need a role "manage-users" or may be something more powerful.

Keycloak REST API 403 forbidden

2 Answers