Testing HTTP API with service user - getting 403 for some requests

Hi, I am getting 403 for some operations with service user when consumig HTTP API e.g. thru Postman.

First of all: testing whole setup with swagger UI (using configured authorizationCode flow) works fine.

Since Swagger is not supporting client_credential flow I use Postman with service user, but get 403 trying to e.g. query existing asset. At the same time query asset is working fine.

Here my steps to reproduce:


  • Postman - configured Oauth 2.0 Authotization with “Client Credentials” grant type

Kind regards

Hi Vladimir, I’d suggest looking at my collection.json file, and the text that goes along with it. Currently, due to the way that keycloak is set up, you do not receive a refresh-token when creating a new OAuth token. To enable refresh-tokens for service users, I’ve created a guide on that post.

Here’s the link: Release: OpenRemote Postman API Collection with fix for OAuth Authentication

I hope that helps,


Also, I would recommend using my collection.json file in Postman for now, since I’ve made sure it works. It includes proper authentication with OAuth and refresh tokens, variables for realms, hosts, and service users, and every single endpoint already documented. I hope it’ll help you out with what you’re trying to achieve.

To delve deeper into why this is happening, the current timeout for OAuth tokens by service users (clients) in OpenRemote is 60 seconds. So maybe, by the time you are executing the second query, the one for your Asset, the token is expired, there is no refresh token for Postman to use, and you are automatically un-authenticated.

Hi @panos do you have any intention of making a web sockets collection I would be so grateful for this.

Hi Panos, first of all, thank you for your support!

I took now your collection.json, imported into Postman but observe same behavior.

In my initial tests I have already adapted AccessToken lifespan to 1000 Minutes

And I saw your hint to set “Use Refresh Token For Client credentials Grant”, so this is set as well

Asset Query works fine, here my manager Webui

And here working response via postman using collection provided by you

And here same error when trying to create new asset, receive 403 again

How did you create your service user? Does the service user have the correct permissions and is it on the correct realm? The user needs to have write access for you to be able to write new assets.

Hi Panos, I have created user thru Openremote WebUI.

here the roles in manager WebUI

Also here my check what do I have in such token

ACCESS_TOKEN=$(curl --insecure -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
 -d grant_type=client_credentials \
 | jq -r '.access_token')
echo $ACCESS_TOKEN | sed 's/\(.*\)\.\(.*\)\.\(.*\)/\2/' | base64 -d | jq

And here result in console

  "exp": 1701161353,
  "iat": 1701101353,
  "jti": "19e0bd2a-ed7d-4617-b5ab-2b122c06437f",
  "iss": "https://localhost/auth/realms/master",
  "aud": [
  "sub": "d3535f05-b120-449d-8d36-39dd26ab70d1",
  "typ": "Bearer",
  "azp": "test",
  "session_state": "74f682df-a617-4580-ae7d-ced79149f0b6",
  "acr": "1",
  "realm_access": {
    "roles": [
  "resource_access": {
    "test": {
      "roles": [
    "openremote": {
      "roles": [
    "account": {
      "roles": [
  "scope": "roles profile email",
  "sid": "74f682df-a617-4580-ae7d-ced79149f0b6",
  "clientId": "test",
  "clientHost": "",
  "email_verified": false,
  "preferred_username": "service-account-test",
  "clientAddress": ""

Try removing the “restricted user” role from your service user role.

Hi Panos, yes , that helped. Thank you for your support.
Best regards , Vladimir

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.