Get 400 with message unknown_error for any POST to Keycloak REST Api

Question

I want, for example, create a new client with admin user using admin-cli client.

The token generation works fine:

POST /auth/realms/master/protocol/openid-connect/token
b'username=admin&password=admin&grant_type=password&client_id=admin-cli'

Using that token I can also do some queries like when I need to get id of a client:

GET /auth/admin/realms/master/clients?clientId=my-test-cli
H' Authorization: Bearer xyz
H' Content-Type: application/json

However, when I want to create a new client-role or a new client I always get 400 error. I changed the log level to DEBUG in the Keycloak server but there is nothing useful there other than seeing logs that says the token successfully created.

POST /auth/admin/realms/master/clients/7534ac42-fe8b-4cde-b6c6-c385f4958e3b/roles
400 {"error":"unknown_error"}

I am using Python v3.x and Keycloak v14.0.0 running with JBoss Wildfly container.

Looking at admin user, it seems it has all the roles like admin, default-roles-master, create-realm and I don't see any role in the listings to assign because it seems it has it all. The same for the admin-cli client. The configuration of these two (admin user and admin-cli) are the default configuration that you start the server for the first time. Do I need anything extra like creating a new role or something in order to get this working?

My payload to create a confidential client:

payload = {
    "name": "Some Name",
    "clientId": "some-name",
    "secret": "some-name-secret",
    "enabled": true,
    "publicClient": false,
    "authorizationServicesEnabled": true,
    "redirectUris" : ["/*"]
}

what is the client payload, which you are posting and what are errors/exceptions in keycloak logs? Very likely your payload is not correct. — Jan Garaj, Jul 29 '21 at 05:52
@JanGaraj Thank you so much! Your comment made me suspicious about the request body and then I realised I was sending the body as a text with invalid format using `data=body` in python and instead I should have used `json=body`. It works now! Thanks again — xbmono, Jul 29 '21 at 08:50
@JanGaraj strangely it works with public client but not with confidential clients. I have included the payload... do you know what's wrong? — xbmono, Jul 29 '21 at 10:23
So you have wrong payload. The easiest way to get correct one is through Admin UI console and do it there. Sniff API requests with browser network console and mimic those sniffed API request payload. — Jan Garaj, Jul 29 '21 at 13:51
@JanGaraj Thanks... the documentation is really bad... the URL isn't correct, took me a while to find out and all the fields are also optional I had to add fields one by one to get it working — xbmono, Jul 30 '21 at 00:03

score 4 · Answer 1 · edited Aug 04 '21 at 01:25

I want to answer my question so that everyone with similar situation won't face the same issue.

Turned out that the payload that I was sending was not correct, thanks to @JanGaraj who pointed that out. But what I want to answer here is that how to find out what should the request body look like.

First, do not look at the documentation. In the documentation all the fields are optional and URLs are not correct either.

The simplest way is to start Keycloak server locally and log into the admin console in Firefox or Chrome, then press F12 to open Development Mode. Then you can see all the requests/responses in there.

For example, if you want to see how to update a role, go to Roles menu item on the main menu and select a role and update it. You can see PUT request with its body. That tells you what you need to pass in and to what URL.

As a hint, you don't need to pass everything when updating, normally only IDs and the fields that you want to update are enough.

Get 400 with message unknown_error for any POST to Keycloak REST Api

1 Answers1