diff --git a/app/api/users/[userId]/roles/route.ts b/app/api/users/[userId]/roles/route.ts
index e34da2dd..f806537f 100644
--- a/app/api/users/[userId]/roles/route.ts
+++ b/app/api/users/[userId]/roles/route.ts
@@ -35,6 +35,14 @@ export async function GET(
       if (!process.env.KEYCLOAK_ADMIN_PASSWORD) missingVars.push('KEYCLOAK_ADMIN_PASSWORD');
       if (!process.env.KEYCLOAK_REALM) missingVars.push('KEYCLOAK_REALM');
       
+      // Note: Client secret might be required depending on client configuration
+      console.log('Keycloak client config:', {
+        clientId: process.env.KEYCLOAK_CLIENT_ID,
+        hasClientSecret: !!process.env.KEYCLOAK_CLIENT_SECRET,
+        username: process.env.KEYCLOAK_ADMIN_USERNAME,
+        realm: process.env.KEYCLOAK_REALM,
+      });
+      
       if (missingVars.length > 0) {
         console.error(`Missing Keycloak environment variables: ${missingVars.join(', ')}`);
         return NextResponse.json(
@@ -106,6 +114,14 @@ export async function PUT(
       if (!process.env.KEYCLOAK_ADMIN_PASSWORD) missingVars.push('KEYCLOAK_ADMIN_PASSWORD');
       if (!process.env.KEYCLOAK_REALM) missingVars.push('KEYCLOAK_REALM');
       
+      // Note: Client secret might be required depending on client configuration
+      console.log('Keycloak client config:', {
+        clientId: process.env.KEYCLOAK_CLIENT_ID,
+        hasClientSecret: !!process.env.KEYCLOAK_CLIENT_SECRET,
+        username: process.env.KEYCLOAK_ADMIN_USERNAME,
+        realm: process.env.KEYCLOAK_REALM,
+      });
+      
       if (missingVars.length > 0) {
         console.error(`Missing Keycloak environment variables: ${missingVars.join(', ')}`);
         return NextResponse.json(
diff --git a/lib/keycloak.ts b/lib/keycloak.ts
index d2a0b584..5566097e 100644
--- a/lib/keycloak.ts
+++ b/lib/keycloak.ts
@@ -26,6 +26,7 @@ export async function getKeycloakAdminClient(): Promise<KcAdminClient> {
   const adminClientId = process.env.KEYCLOAK_CLIENT_ID;
   const adminUsername = process.env.KEYCLOAK_ADMIN_USERNAME;
   const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
+  const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;
   const realmName = process.env.KEYCLOAK_REALM;
 
   // Validate required environment variables
@@ -54,12 +55,19 @@ export async function getKeycloakAdminClient(): Promise<KcAdminClient> {
     });
 
     // Authenticate admin client
-    await kcAdminClient.auth({
+    const authParams: Credentials = {
       clientId: adminClientId,
       username: adminUsername,
       password: adminPassword,
       grantType: 'password',
-    } as Credentials);
+    };
+    
+    // Add client secret if available
+    if (clientSecret) {
+      authParams.clientSecret = clientSecret;
+    }
+    
+    await kcAdminClient.auth(authParams);
 
     console.log('Successfully authenticated with Keycloak admin client');