Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

Hi,

after upgrading from 26.2 to 26.4.1, the changes made in #39956, also affect client roles named admin in non-admin realms.

This means the local realm-management account (service-account of the backend client) can no longer give the client role admin (no other roles or mappings associated to it) to other users.

It seems unlikely to me that this is intended behaviour as this role is only an admin role within the app the client is for, and not for the keycloak realm / master realm.

Version

26.4.1

Regression

• The issue is a regression

Expected behavior

Only restrict actual admin (realm) roles.

Actual behavior

403 Forbidden

How to Reproduce?

• Create a new realm
• Create a new client with service-account and realm-management roles
• Create a new client role admin
• Create a dummy user
• Try to have the service-account give that user the admin client role

Anything else?

No response