Keycloak Admin Rest API unknown_error for update user API

Question

I am trying to add a custom attribute to a user using Admin Rest API. When i try with default master realm, its working fine. But when i try it with another realm that i created, it yields "unknown_error".

I have attached the screenshot of request below.

I am having the same issue, running the Keycloak version 10.0.2 docker image. No logs. — martn_st, Jun 23 '20 at 16:48

score 39 · Answer 1 · edited Oct 24 '21 at 19:25

39

You haven't granted related permissions to your realm.

Go to 'Clients' -> select your client -> 'Service Account Roles':

In the client roles dropdown box, click realm-management
In Available Roles box, select related roles. Try manage-users and view-users.

Then get a new access token and try your API call again.

edited Oct 24 '21 at 19:25

mazend

456
1
7
37

answered Feb 15 '21 at 09:24

Stephen

3,822
2
25
45

7

This is actually the right answer. First make sure you configure the admin-cli client of your realm with "Acces type" = confidential and turn on "Service Accounts enabled" (https://www.appsdeveloperblog.com/keycloak-rest-api-create-a-new-user/) – pakman Feb 15 '21 at 18:10
Oh man, maaany thanks, you saved me an hour! Is there any doc describing these builtin roles? – OSP Nov 10 '21 at 11:27
1

In my keycloak installed on-premise, in my "Admin-cli" client, not appear "real-management" in Client Roles :( – Hernaldo Gonzalez Apr 27 '22 at 14:02
1

I again, solved! in the version 17.0.1, april 2022, the name es "master-realm" and not "real-management" – Hernaldo Gonzalez Apr 27 '22 at 20:47
In the client roles you should select the realm you want to give access to. In my case my realm is called "testrealm" so I would select "testrealm-realm" – lemario Aug 17 '23 at 12:13

score 6 · Answer 2 · answered Sep 25 '20 at 04:57

I found that I had to use the admin-cli client in the master realm to use the admin REST API. When you look at the master realm, there is an admin role that does not exist in sub-realms. That admin role seems to be necessary to access the admin REST API successfully.

My suggestion is that you can create a client in the master realm as a service account, then assign the admin role to that client. You can then use that unique admin service account for API access by other programs.

score 5 · Answer 3 · answered Jun 23 '20 at 17:20

5

Apparently the Admin API needs to be accessed via the admin-cli client.

I got a 403 {"error":"unknown_error"} when I wanted to use a copy of the default admin-cli client.

answered Jun 23 '20 at 17:20

martn_st

2,576
1
24
30

1

This works for me. Thanks! – grzesiu988 Feb 02 '22 at 16:05

score 2 · Answer 4 · answered May 10 '23 at 09:34

2

I'm using Keycloak 21

what I had to do was:

Go to Clients, access my client
Go to the Service Account Roles tab
then click on Assign Role
Filter by "clients" (default is by "realm roles")
then search by the desired role, in the correct realm (e.g. manage-users)
Select the role and click on Assign

answered May 10 '23 at 09:34

Guilherme

1,705
1
25
45

Thanks man, the clients filter was easy to miss on the UI (I also missed it when I first read your answer) Mind if I add a screenshot to your answer, to make it easier to understand? – Alex Mantaut May 25 '23 at 13:09

score 1 · Answer 5 · answered Nov 27 '20 at 17:31

1

Try to pass the attribute body like this.

{

"attributes": {
               "id": ["688"]
            }
}

answered Nov 27 '20 at 17:31

cric

87
1
11

I had all the permissions and actually this helped me. Sending the value as array was solution in my case. Even that it sounds a bit crazy – martin.malek Aug 10 '22 at 10:16

Chris Tarroja · Answer 6 · 2022-12-07T08:11:37.283

1

To add to what Perry Harrington said, you can create a client outside your master realm and still add users to that realm. But you first need to edit the Scope of the Admin-cli in Master Realm, and then select your realm under Service Account Roles (dropdown). After selecting the realm (e.g. myrealm-realm), you should now add the roles you would want the REST API to do, like manage-users, query-users, etc.

edited Dec 07 '22 at 08:11

answered Dec 07 '22 at 08:10

Chris Tarroja

11
2

score 1 · Answer 7 · answered Jan 27 '23 at 09:29

I found that after a lot of research .. you have to assign roles to cli-admin . if you are using keycloack 20.0 version Go to 'Clients' -> select your client e.g admin-cli -> 'Service Account Roles': and then add all access you want to assign roles to cli-admin enter image description here

score 0 · Answer 8 · answered Jan 18 '23 at 22:38

You'll also get this error if you're using the wrong HTTP method.

In my case, I was accidentally using POST for the users endpoint, when instead I should have been using GET.

This would also indicate that you'll get this error if you have a malformed body when POSTing to endpoints like clients.

Not very helpful from Keycloak.

Keycloak Admin Rest API unknown_error for update user API

8 Answers8

Linked