Reputation: 312
Keycloak Admin Rest API unknown_error for update user API
I am trying to add a custom attribute to a user using Admin Rest API. When i try with default master realm, its working fine. But when i try it with another realm that i created, it yields "unknown_error".
I have attached the screenshot of request below.
Upvotes: 20
Views: 23602
Answers (8)
Reputation: 1835
I'm using Keycloak 21
what I had to do was:
- Go to Clients, access my client
- Go to the Service Account Roles tab
- then click on Assign Role
- Filter by "
clients" (default is by "realm roles") - then search by the desired role, in the correct realm (e.g.
manage-users) - Select the role and click on Assign
Upvotes: 7
Reputation: 31
I found that after a lot of research .. you have to assign roles to cli-admin . if you are using keycloack 20.0 version Go to 'Clients' -> select your client e.g admin-cli -> 'Service Account Roles': and then add all access you want to assign roles to cli-admin enter image description here
Upvotes: 1
Reputation: 2422
You'll also get this error if you're using the wrong HTTP method.
In my case, I was accidentally using POST for the users endpoint, when instead I should have been using GET.
This would also indicate that you'll get this error if you have a malformed body when POSTing to endpoints like clients.
Not very helpful from Keycloak.
Upvotes: 0
Reputation: 11
To add to what Perry Harrington said, you can create a client outside your master realm and still add users to that realm. But you first need to edit the Scope of the Admin-cli in Master Realm, and then select your realm under Service Account Roles (dropdown). After selecting the realm (e.g. myrealm-realm), you should now add the roles you would want the REST API to do, like manage-users, query-users, etc.
Upvotes: 1
Reputation: 3982
You haven't granted related permissions to your realm.
Go to 'Clients' -> select your client -> 'Service Account Roles':
- In the client roles dropdown box, click
realm-management - In Available Roles box, select related roles. Try
manage-usersandview-users.
Then get a new access token and try your API call again.
Upvotes: 47
Reputation: 87
Try to pass the attribute body like this.
{
"attributes": {
"id": ["688"]
}
}
Upvotes: 1
Reputation: 81
I found that I had to use the admin-cli client in the master realm to use the admin REST API. When you look at the master realm, there is an admin role that does not exist in sub-realms. That admin role seems to be necessary to access the admin REST API successfully.
My suggestion is that you can create a client in the master realm as a service account, then assign the admin role to that client. You can then use that unique admin service account for API access by other programs.
Upvotes: 8
Reputation: 2636
Apparently the Admin API needs to be accessed via the admin-cli client.
I got a 403 {"error":"unknown_error"} when I wanted to use a copy of the default admin-cli client.
Upvotes: 5
Related Questions
- Keycloak Account management api update password does not work
- Unknown error while creating client using Keycloak REST API
- Keycloak REST API 403 forbidden
- Using admin API to add client role to user
- {'error': 'RESTEASY003650: No resource method found for PUT, return 405 with Allow header'} when updating user data in Keycloak
- Problem with updating user using keycloak rest api
- keycloak unknown error while creating a new resource via rest api
- Keycloak admin rest api: Update password not set
- Getting user keycloak Not Found exception
- Unable to set user credential using Keycloak admin api