Keycloak Admin Rest API unknown_error for update user API

W

8

19

I am trying to add a custom attribute to a user using Admin Rest API. When i try with default master realm, its working fine. But when i try it with another realm that i created, it yields "unknown_error".

I have attached the screenshot of request below.

Wallaroo answered 23/2, 2020 at 7:16 Comment(3)

Please check what token you are passing – Overanxious 24/2, 2020 at 9:20

Please check Keycloak logs – Illuminati 24/2, 2020 at 11:37

I am having the same issue, running the Keycloak version 10.0.2 docker image. No logs. – Neediness 23/6, 2020 at 16:48

P

46

You haven't granted related permissions to your realm.

Go to 'Clients' -> select your client -> 'Service Account Roles':

In the client roles dropdown box, click realm-management
In Available Roles box, select related roles. Try manage-users and view-users.

Then get a new access token and try your API call again.

Palladic answered 15/2, 2021 at 9:24 Comment(5)

This is actually the right answer. First make sure you configure the admin-cli client of your realm with "Acces type" = confidential and turn on "Service Accounts enabled" (appsdeveloperblog.com/keycloak-rest-api-create-a-new-user) – Continual 15/2, 2021 at 18:10

Oh man, maaany thanks, you saved me an hour! Is there any doc describing these builtin roles? – Mapping 10/11, 2021 at 11:27

In my keycloak installed on-premise, in my "Admin-cli" client, not appear "real-management" in Client Roles :( – Dev 27/4, 2022 at 14:2

I again, solved! in the version 17.0.1, april 2022, the name es "master-realm" and not "real-management" – Dev 27/4, 2022 at 20:47

In the client roles you should select the realm you want to give access to. In my case my realm is called "testrealm" so I would select "testrealm-realm" – Yggdrasil 17/8, 2023 at 12:13

Q

8

I found that I had to use the admin-cli client in the master realm to use the admin REST API. When you look at the master realm, there is an admin role that does not exist in sub-realms. That admin role seems to be necessary to access the admin REST API successfully.

My suggestion is that you can create a client in the master realm as a service account, then assign the admin role to that client. You can then use that unique admin service account for API access by other programs.

Quirites answered 25/9, 2020 at 4:57 Comment(0)

M

6

I'm using Keycloak 21

what I had to do was:

Go to Clients, access my client
Go to the Service Account Roles tab
then click on Assign Role
Filter by "clients" (default is by "realm roles")
then search by the desired role, in the correct realm (e.g. manage-users)
Select the role and click on Assign

Mcewen answered 10/5, 2023 at 9:34 Comment(1)

Thanks man, the clients filter was easy to miss on the UI (I also missed it when I first read your answer) Mind if I add a screenshot to your answer, to make it easier to understand? – Sweptback 25/5, 2023 at 13:9

N

5

Apparently the Admin API needs to be accessed via the admin-cli client.

I got a 403 {"error":"unknown_error"} when I wanted to use a copy of the default admin-cli client.

Neediness answered 23/6, 2020 at 17:20 Comment(2)

This works for me. Thanks! – Rubino 2/2, 2022 at 16:5

You can use the admin-cli client for Admin API, yes. But you aren't limited to this. Creating a particular confidential client with enabled flow "Service accounts roles" is also a way and it's even better. – Zoller 1/3 at 17:32

C

1

Try to pass the attribute body like this.

{

"attributes": {
               "id": ["688"]
            }
}

Collier answered 27/11, 2020 at 17:31 Comment(1)

I had all the permissions and actually this helped me. Sending the value as array was solution in my case. Even that it sounds a bit crazy – Wartow 10/8, 2022 at 10:16

S

1

To add to what Perry Harrington said, you can create a client outside your master realm and still add users to that realm. But you first need to edit the Scope of the Admin-cli in Master Realm, and then select your realm under Service Account Roles (dropdown). After selecting the realm (e.g. myrealm-realm), you should now add the roles you would want the REST API to do, like manage-users, query-users, etc.

Sigh answered 7/12, 2022 at 8:10 Comment(0)

P

1

I found that after a lot of research .. you have to assign roles to cli-admin . if you are using keycloack 20.0 version Go to 'Clients' -> select your client e.g admin-cli -> 'Service Account Roles': and then add all access you want to assign roles to cli-admin enter image description here

Pisistratus answered 27/1, 2023 at 9:29 Comment(0)

D

0

You'll also get this error if you're using the wrong HTTP method.

In my case, I was accidentally using POST for the users endpoint, when instead I should have been using GET.

This would also indicate that you'll get this error if you have a malformed body when POSTing to endpoints like clients.

Not very helpful from Keycloak.

Decrepitude answered 18/1, 2023 at 22:38 Comment(0)

Recommended topics

Hot tags