keycloak-config-cli icon indicating copy to clipboard operation
keycloak-config-cli copied to clipboard
verified publisher icon adorsys

Adding user with realm with LDAP causes a 400 error

Open shinyobject88 opened this issue 9 months ago • 2 comments

Current Behavior

Currently, using keycloak-config-cli latest-24 and keycloak 24.0.4, I am finding that a manual user I am adding is causing a 400 level error within keycloak-config-cli.

This is the following realm/client/user configuration (I abbreviated some of the other settings). There is also an LDAP config but the user should be able to be added even with the configuration. { "id": "test", "realm": "test", "displayName": "keycloak", "displayNameHtml": "<div class=\"kc-logo-text\">Keycloak", "enabled": true, "sslRequired": "all", "userManagedAccessAllowed": false, "registrationAllowed": false, "rememberMe": false, "resetPasswordAllowed": false, "loginTheme": "custom-theme", "eventsEnabled": true, "adminEventsEnabled": true, "ssoSessionIdleTimeout": 1800, "ssoSessionMaxLifespan": 36000, "clientSessionIdleTimeout": 1800, "clientSessionMaxLifespan": 36000, "offlineSessionIdleTimeout": 2.592e+06, "offlineSessionMaxLifespanEnabled": true, "offlineSessionMaxLifespan": 5.184e+06, "accessCodeLifespanUserAction": 300, "accessCodeLifespanLogin": 1800, "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, "registrationEmailAsUsername" : false, "editUsernameAllowed": true, "clients": [ { "clientId": "keycloak-client", "name": "keycloak-client", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": false, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "fullScopeAllowed": true, "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "web-origins", "acr", "roles", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access", "microprofile-jwt" ], "access": { "view": true, "configure": true, "manage": true } } ], "users": [ { "username": "admin", "firstName": "Utility", "lastName": "Admin", "email": "[email protected]", "enabled": true, "credentials": [ { "type": "password", "value": "admin" } ], "clientRoles": { "realm-management": [ "realm-admin" ] } } ] }

Expected Behavior

When I utilize the above realm configurations with the correct versions, the realm, clients and users should be imported successfully.

Steps To Reproduce

1. Set up keycloak version 24.0.4
2. Run the keycloak-config-cli docker image latest-24 with the passed in config
3. keycloak-config-cli will fail with a bad request

Environment

  • Keycloak Version: [24.0.4]
  • keycloak-config-cli Version: [e.g. 5.11.1]
  • Java Version: [e.g. 21]

Anything else?

I did notice the following in the logs: 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> GET /admin/realms/test/users?username=admin&exact=true HTTP/1.1 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Accept: application/json 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhSUY2MmpQdkMzVDJ5WWJFMFFuLXVkYWx3SzdmTVdQWGJRaVU4MXRPNTNVIn0.eyJleHAiOjE3NDIzMjc2NDEsImlhdCI6MTc0MjMyNzU4MSwianRpIjoiOWYzYWZhNmEtNjBmZS00MTFmLTg4ODktM2MzNDkyZjgxYjJlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmFwcHMuczk5OTkuazhzLnJldGFpbC5hZC5wdWJsaXguY29tL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiJlMzk2YWZiZC03Y2JkLTQ4MWEtYTJiMy1mMWJhNGI3YjUyZWUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiYjRkOWRkM2QtOGJjZi00MWQzLTg1NzUtYjhiNDU3MmM1YjU5IiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6ImI0ZDlkZDNkLThiY2YtNDFkMy04NTc1LWI4YjQ1NzJjNWI1OSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.k7xV2lAnBrFZqcttuinMUCWd_Xz7qSGssmHYHy3XuaNq7D2WAQLBxy9mltzXtIRkfMcfkM4Hn5e2E6Ry0Va_dqS5UDFznLL6fkW9HNvV6CapJnQDti-RNJUu1HsY5gSyvV_Tr5NHtNECigkKAi6yEOgz9osYJ6PHny62jcZ5bQ9p-ba3tPFjP38q_RQUpuglF1qCrhgqmAx-1n1T9JqOQm-CEiEvSLY8lTaSuIsRZ8_IJbD-uXWlQiR9MPYlY-LAxpYs0Q_b7JzZtowGJocp_SDtGegnEe43tvIFHFMIClHlFZSIDMPcQSQLMM_2Y2RXS7OjdQOMu492A_4ZGolYjA 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Host: keycloak-svc:8080 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Connection: Keep-Alive 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.6) 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "GET /admin/realms/test/users?username=admin&exact=true HTTP/1.1[\r][\n]" 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Accept: application/json[\r][\n]" 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhSUY2MmpQdkMzVDJ5WWJFMFFuLXVkYWx3SzdmTVdQWGJRaVU4MXRPNTNVIn0.eyJleHAiOjE3NDIzMjc2NDEsImlhdCI6MTc0MjMyNzU4MSwianRpIjoiOWYzYWZhNmEtNjBmZS00MTFmLTg4ODktM2MzNDkyZjgxYjJlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmFwcHMuczk5OTkuazhzLnJldGFpbC5hZC5wdWJsaXguY29tL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiJlMzk2YWZiZC03Y2JkLTQ4MWEtYTJiMy1mMWJhNGI3YjUyZWUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiYjRkOWRkM2QtOGJjZi00MWQzLTg1NzUtYjhiNDU3MmM1YjU5IiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6ImI0ZDlkZDNkLThiY2YtNDFkMy04NTc1LWI4YjQ1NzJjNWI1OSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.k7xV2lAnBrFZqcttuinMUCWd_Xz7qSGssmHYHy3XuaNq7D2WAQLBxy9mltzXtIRkfMcfkM4Hn5e2E6Ry0Va_dqS5UDFznLL6fkW9HNvV6CapJnQDti-RNJUu1HsY5gSyvV_Tr5NHtNECigkKAi6yEOgz9osYJ6PHny62jcZ5bQ9p-ba3tPFjP38q_RQUpuglF1qCrhgqmAx-1n1T9JqOQm-CEiEvSLY8lTaSuIsRZ8_IJbD-uXWlQiR9MPYlY-LAxpYs0Q_b7JzZtowGJocp_SDtGegnEe43tvIFHFMIClHlFZSIDMPcQSQLMM_2Y2RXS7OjdQOMu492A_4ZGolYjA[\r][\n]" 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Host: keycloak-svc:8080[\r][\n]" 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.6)[\r][\n]" 2025-03-18T19:53:06.412Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "HTTP/1.1 200 OK[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "content-length: 2[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Cache-Control: no-cache[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Content-Type: application/json;charset=UTF-8[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Referrer-Policy: no-referrer[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "X-Content-Type-Options: nosniff[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "X-Frame-Options: SAMEORIGIN[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "X-XSS-Protection: 1; mode=block[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "[\r][\n]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "[]" 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << HTTP/1.1 200 OK 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << content-length: 2 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Cache-Control: no-cache 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Content-Type: application/json;charset=UTF-8 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Referrer-Policy: no-referrer 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Strict-Transport-Security: max-age=31536000; includeSubDomains 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << X-Content-Type-Options: nosniff 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << X-Frame-Options: SAMEORIGIN 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << X-XSS-Protection: 1; mode=block 2025-03-18T19:53:07.646Z DEBUG 1 --- [ main] o.a.http.impl.execchain.MainClientExec : Connection can be kept alive indefinitely 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] org.jboss.resteasy.resteasy_jaxrs.i18n : Interceptor Context: org.jboss.resteasy.core.interception.jaxrs.ClientReaderInterceptorContext, Method : proceed 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] org.jboss.resteasy.resteasy_jaxrs.i18n : MessageBodyReader: org.jboss.resteasy.core.providerfactory.SortedKey 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] org.jboss.resteasy.resteasy_jaxrs.i18n : MessageBodyReader: de.adorsys.keycloak.config.provider.KeycloakProvider$JacksonProvider 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] org.jboss.resteasy.resteasy_jaxrs.i18n : Provider : de.adorsys.keycloak.config.provider.KeycloakProvider$JacksonProvider, Method : readFrom 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] h.i.c.PoolingHttpClientConnectionManager : Connection [id: 0][route: {}->http://keycloak-svc:8080] can be kept alive indefinitely 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] h.i.c.DefaultManagedHttpClientConnection : http-outgoing-0: set socket timeout to 0 2025-03-18T19:53:07.647Z DEBUG 1 --- [ main] h.i.c.PoolingHttpClientConnectionManager : Connection released: [id: 0][route: {}->http://keycloak-svc:8080][total available: 1; route allocated: 1 of 10; total allocated: 1 of 10] 2025-03-18T19:53:07.653Z DEBUG 1 --- [ main] o.a.h.client.protocol.RequestAuthCache : Auth cache not set in the context 2025-03-18T19:53:07.653Z DEBUG 1 --- [ main] h.i.c.PoolingHttpClientConnectionManager : Connection request: [route: {}->http://keycloak-svc:8080][total available: 1; route allocated: 1 of 10; total allocated: 1 of 10] 2025-03-18T19:53:07.653Z DEBUG 1 --- [ main] h.i.c.PoolingHttpClientConnectionManager : Connection leased: [id: 0][route: {}->http://keycloak-svc:8080][total available: 0; route allocated: 1 of 10; total allocated: 1 of 10] 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] h.i.c.DefaultManagedHttpClientConnection : http-outgoing-0: set socket timeout to 0 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] h.i.c.DefaultManagedHttpClientConnection : http-outgoing-0: set socket timeout to 0 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] o.a.http.impl.execchain.MainClientExec : Executing request GET /admin/realms/test/users?username=&firstName=Utility&lastName=Admin&email=UtilityAdmin%40test.com&first=0&max=100 HTTP/1.1 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] o.a.http.impl.execchain.MainClientExec : Proxy auth state: UNCHALLENGED 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> GET /admin/realms/test/users?username=&firstName=Utility&lastName=Admin&email=UtilityAdmin%40test.com&first=0&max=100 HTTP/1.1 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Accept: application/json 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhSUY2MmpQdkMzVDJ5WWJFMFFuLXVkYWx3SzdmTVdQWGJRaVU4MXRPNTNVIn0.eyJleHAiOjE3NDIzMjc2NDEsImlhdCI6MTc0MjMyNzU4MSwianRpIjoiOWYzYWZhNmEtNjBmZS00MTFmLTg4ODktM2MzNDkyZjgxYjJlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmFwcHMuczk5OTkuazhzLnJldGFpbC5hZC5wdWJsaXguY29tL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiJlMzk2YWZiZC03Y2JkLTQ4MWEtYTJiMy1mMWJhNGI3YjUyZWUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiYjRkOWRkM2QtOGJjZi00MWQzLTg1NzUtYjhiNDU3MmM1YjU5IiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6ImI0ZDlkZDNkLThiY2YtNDFkMy04NTc1LWI4YjQ1NzJjNWI1OSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.k7xV2lAnBrFZqcttuinMUCWd_Xz7qSGssmHYHy3XuaNq7D2WAQLBxy9mltzXtIRkfMcfkM4Hn5e2E6Ry0Va_dqS5UDFznLL6fkW9HNvV6CapJnQDti-RNJUu1HsY5gSyvV_Tr5NHtNECigkKAi6yEOgz9osYJ6PHny62jcZ5bQ9p-ba3tPFjP38q_RQUpuglF1qCrhgqmAx-1n1T9JqOQm-CEiEvSLY8lTaSuIsRZ8_IJbD-uXWlQiR9MPYlY-LAxpYs0Q_b7JzZtowGJocp_SDtGegnEe43tvIFHFMIClHlFZSIDMPcQSQLMM_2Y2RXS7OjdQOMu492A_4ZGolYjA 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Host: keycloak-svc:8080 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> Connection: Keep-Alive 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.6) 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "GET /admin/realms/test/users?username=&firstName=Utility&lastName=Admin&email=UtilityAdmin%test.com&first=0&max=100 HTTP/1.1[\r][\n]" 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Accept: application/json[\r][\n]" 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhSUY2MmpQdkMzVDJ5WWJFMFFuLXVkYWx3SzdmTVdQWGJRaVU4MXRPNTNVIn0.eyJleHAiOjE3NDIzMjc2NDEsImlhdCI6MTc0MjMyNzU4MSwianRpIjoiOWYzYWZhNmEtNjBmZS00MTFmLTg4ODktM2MzNDkyZjgxYjJlIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrLmFwcHMuczk5OTkuazhzLnJldGFpbC5hZC5wdWJsaXguY29tL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiJlMzk2YWZiZC03Y2JkLTQ4MWEtYTJiMy1mMWJhNGI3YjUyZWUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiYjRkOWRkM2QtOGJjZi00MWQzLTg1NzUtYjhiNDU3MmM1YjU5IiwiYWNyIjoiMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6ImI0ZDlkZDNkLThiY2YtNDFkMy04NTc1LWI4YjQ1NzJjNWI1OSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.k7xV2lAnBrFZqcttuinMUCWd_Xz7qSGssmHYHy3XuaNq7D2WAQLBxy9mltzXtIRkfMcfkM4Hn5e2E6Ry0Va_dqS5UDFznLL6fkW9HNvV6CapJnQDti-RNJUu1HsY5gSyvV_Tr5NHtNECigkKAi6yEOgz9osYJ6PHny62jcZ5bQ9p-ba3tPFjP38q_RQUpuglF1qCrhgqmAx-1n1T9JqOQm-CEiEvSLY8lTaSuIsRZ8_IJbD-uXWlQiR9MPYlY-LAxpYs0Q_b7JzZtowGJocp_SDtGegnEe43tvIFHFMIClHlFZSIDMPcQSQLMM_2Y2RXS7OjdQOMu492A_4ZGolYjA[\r][\n]" 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Host: keycloak-svc:8080[\r][\n]" 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.14 (Java/21.0.6)[\r][\n]" 2025-03-18T19:53:07.654Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 >> "[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "content-length: 113[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Content-Type: application/json[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Referrer-Policy: no-referrer[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "X-Content-Type-Options: nosniff[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "X-Frame-Options: SAMEORIGIN[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "X-XSS-Protection: 1; mode=block[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "[\r][\n]" 2025-03-18T19:53:07.676Z DEBUG 1 --- [ main] org.apache.http.wire : http-outgoing-0 << "{"error":"unknown_error","error_description":"For more on this error consult the server log at the debug level."}" 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << HTTP/1.1 400 Bad Request 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << content-length: 113 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Content-Type: application/json 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Referrer-Policy: no-referrer 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << Strict-Transport-Security: max-age=31536000; includeSubDomains 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << X-Content-Type-Options: nosniff 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << X-Frame-Options: SAMEORIGIN 2025-03-18T19:53:07.677Z DEBUG 1 --- [ main] org.apache.http.headers : http-outgoing-0 << X-XSS-Protection: 1; mode=block

It looks like the config cli is doing a call to find the user by username then starts trying to find the user with the other properties. However, that second call has the username set to basically nothing. I tested this same setup in postman and Keycloak returned a 400 but returned a 200 if I set the username to the value that is passed in. I am wondering if there is a setting I have set that could be causing that issue.

shinyobject88 avatar Mar 18 '25 20:03 shinyobject88

Minor update. While testing, I found that enabling the LDAP configurations causes the 400 issue when try to add a user manually. However our use case requires to add the LDAP configurations and a non LDAP user for other jobs that would run against Keycloak. Is it possible to have enabled LDAP configurations and a manual user added?

shinyobject88 avatar Apr 01 '25 18:04 shinyobject88

We are having the same issue with keycloak-config-cli 6.4.0 and Keycloak 26.1.3 The issue does not appear with keycloak-config-cli 6.3.0.

chri4774 avatar Apr 07 '25 11:04 chri4774

Hi @shinyobject88 and @chri4774,

I've investigated this issue and successfully reproduced it. The problem occurs specifically when LDAP configuration is enabled in the realm.

Findings

I tested with both keycloak-config-cli 6.3.0 and 6.4.0 against Keycloak version 26.1.3, and both versions fail with a 400 Bad Request when LDAP is configured. Testing it with Keycloak version 24.0.4 leads to other issues and errors due to compatibility.

Through debugging, I've identified that the failure occurs in UserRepository.search() method when keycloak-config-cli attempts to check if the user exists before creating/adding the user. Here's the stack trace:

jakarta.ws.rs.BadRequestException: HTTP 400 Bad Request
    at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:236)
    at de.adorsys.keycloak.config.repository.UserRepository.search(UserRepository.java:52)
    at de.adorsys.keycloak.config.service.UserImportService$UserImport.importUser(UserImportService.java:130)
    at de.adorsys.keycloak.config.service.UserImportService.importUser(UserImportService.java:98)
    at de.adorsys.keycloak.config.service.UserImportService.lambda$doImport$0(UserImportService.java:88)
    at de.adorsys.keycloak.config.service.UserImportService.doImport(UserImportService.java:92)

Root Cause

This appears to be a Keycloak server-side issue. When LDAP is enabled:

Expected behavior: User search method should return an empty list if user doesn't exist Actual behavior: Returns 400 Bad Request instead

The Keycloak server logs show it's attempting to query LDAP, and when that fails (either due to connection issues or user not existing), it returns a 400 error instead of gracefully handling it. While if you do not try to manually add a user, an import is successful

Workaround

I'm thinking of implementing a fix in keycloak-config-cli to handle this gracefully by catching the BadRequestException and treating it as "user not found" when LDAP is configured. I will also try to investigate further other possible solutions or even create an issue in the Keycloak repo if the fix does not exactly work.

Thendo20 avatar Sep 17 '25 10:09 Thendo20

Update

After implementing error handling for the UserRepository.search() and UserRepository.searchByAttributes() methods, these methods no longer fail with 400 Bad Request errors when LDAP is enabled. However, it now fails at the next step - when attempting to actually create/add the user after checking if they exist.

The failure occurs in the UserRepository.create() method:

jakarta.ws.rs.WebApplicationException: Create method returned status Bad Request (Code: 400); expected status: Created (201)
	at org.keycloak.admin.client.CreatedResponseUtil.getCreatedId(CreatedResponseUtil.java:43)
	at de.adorsys.keycloak.config.repository.UserRepository.create(UserRepository.java:164)
	at de.adorsys.keycloak.config.service.UserImportService$UserImport.importUser(UserImportService.java:141)
	at de.adorsys.keycloak.config.service.UserImportService.importUser(UserImportService.java:98)
	at de.adorsys.keycloak.config.service.UserImportService.lambda$doImport$0(UserImportService.java:88)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at de.adorsys.keycloak.config.service.UserImportService.doImport(UserImportService.java:92)
	at de.adorsys.keycloak.config.service.RealmImportService.configureRealm(RealmImportService.java:230)
	at de.adorsys.keycloak.config.service.RealmImportService.createRealm(RealmImportService.java:187)
	at de.adorsys.keycloak.config.service.RealmImportService.doImport(RealmImportService.java:152)
	at de.adorsys.keycloak.config.AbstractImportTest.doImport(AbstractImportTest.java:76)
	at de.adorsys.keycloak.config.AbstractImportTest.doImport(AbstractImportTest.java:69)

This indicates that user creation is incompatible with LDAP-enabled realms, which appears to be by design in Keycloak. When LDAP is configured as a user federation provider, Keycloak's Admin API rejects direct user creation attempts, returning a 400 Bad Request instead of the expected 201 Created status. They may have done this to maintain consistency with the configured user storage provider and prevent conflicts between local and federated user stores.

Thendo20 avatar Sep 22 '25 09:09 Thendo20

Hi @Thendo20 I've retested keycloak-config-cli 6.4.0 with an newly set up Keycloak 26.3.2 instance and it is working for us now. LDAP is enabled and we are adding one local user

chri4774 avatar Sep 25 '25 09:09 chri4774

Hi @chri4774 Okay great, thanks for letting me know. It looks like it was an issue and they fixed it with the latest Keycloak version.

Thendo20 avatar Sep 25 '25 09:09 Thendo20

Fixed in Latest Keycloak Versions, Needs Documentation at the level of kccli in the Troubleshooting section of documentation.

AssahBismarkabah avatar Nov 06 '25 12:11 AssahBismarkabah