Create or list users did not work well. Responds "error": "unknown_error"

lucassimon · May 24, 2021, 11:20pm

I try the follow requests:

Get the access_token from admin-cli in master realm

export TKN=$(curl --location --request POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=f1d6c130-b716-4b2d-9a0a-4345320a12f3'| jq -r '.access_token')

Then the token generated corretly:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1203  100  1103  100   100  52523   4761 --:--:-- --:--:-- --:--:-- 60150
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSl......

Now, when I try to fetch users count or create users I received an unkown error

curl -X GET "http://localhost:8080/auth/admin/realms/mylab/users/count" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    25  100    25    0     0   6250      0 --:--:-- --:--:-- --:--:--  6250
{
  "error": "unknown_error"
}

I don’t know but i try many scripts to create an user and it did not work. The role manage-users or query-usersare in admin-cli.

My brain exploded. Other infos

docker run \                                                                           
    --name keycloak \                                  
    -d \              
    --net intranet \
    -p 8080:8080 \         
    -e KEYCLOAK_USER=admin \
    -e KEYCLOAK_PASSWORD=admin \                             
    -e DB_VENDOR=mysql \    
    -e DB_DATABASE=keycloak \
    -e DB_PORT=3306 \
    -e DB_USER=keycloak \
    -e DB_PASSWORD=keycloak \
    quay.io/keycloak/keycloak:13.0.0

Any ideas guys?

Thank you

xgp · May 25, 2021, 7:02am

It’s likely that the service account for that client doesn’t have the appropriate roles to perform the query on the mylab realm. Go into the admin-cli client in master realm and click on Service Account Roles. Under Client Roles → mylab-realm, make sure you have manage-users, query-users and view-users assigned.

Let us know how it goes if you make those changes.

gmesml · May 25, 2021, 10:01am

Since it is unknown which version of keycloak you’re trying to perform the api request, it might be something wrong with the payload you’re sending to the keycloak api (at least that’s the error I get when am sending a wrong payload).

At version 12 exactly on that endpoint keycloak returns just an integer number where you attempting to get a json response depending on your use might fail to parse a JSON.

Otherwise if there was a different approach to this on previous keycloak versions you can search your version and maybe a public postman or other example resources. I do often compare my payloads to KeycloakRestAPI depending if keycloak 12 still persist on same payload references.

Regards

lucassimon · May 25, 2021, 2:12pm

Hello, thank you guys.

@gmesml was configs that I missed. @xgp, the tip was awesome.

First, I needed to configure the admin-cli correctly:

Maybe put all realm-management role can be insecure. I will put these options manage-users, query-users and view-users as @xgp said. then we have:

$ curl --location --request POST 'http://localhost:8080/auth/realms/mylab/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=39cfb8cb-9f19-4b07-a3c0-86c9eafb148b'| jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2000  100  1900  100   100   309k  16666 --:--:-- --:--:-- --:--:--  325k
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO.....etc",
  "expires_in": 432000,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 1621877679,
  "scope": "email profile"
}

$ curl -X GET "http://localhost:8080/auth/admin/realms/mylab/users/count" \
-H "Accept: application/json" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIg .... etc....." | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     1  100     1    0     0    333      0 --:--:-- --:--:-- --:--:--   333
2

Beatiful!!! Works good. Maybe that screenshots and the tip it will can be on the docs of admin-rest. It will be useful for us noobs =)

lucassimon · May 25, 2021, 2:28pm

Save it. Is perfect =)

rcbandit · May 20, 2023, 12:08am

Do you know for Keycloak 21 how to set permissions?