python-keycloak icon indicating copy to clipboard operation
python-keycloak copied to clipboard

Published 20 hours ago verified publisher icon marcospereirampj

KeycloakAdmin - Gives 403: b'{"error":"unknown_error"} for everything.

Open MohiuddinSumon opened this issue 3 years ago • 12 comments

Hi I am trying to use keycloakAdmin. I can create a KeycloakAdmin object. But anything and everything on that object gives me this :

in raise_error_from_response raise error(error_message=message, keycloak.exceptions.KeycloakGetError: 403: b'{"error":"unknown_error"}'

Let me know what can I do ,

Update: it was because user didn't have appropriate permissions. if you face 403 check for permissions. keycloak doesn't give proper error response

MohiuddinSumon avatar Aug 16 '20 19:08 MohiuddinSumon

same here,

going to make calls manually using the rest API ,

this will allow me to cash the tokens and be a bit more efficient ,,

but if the package was working currently it would have made my work easier ,

this can help you "didn't work for me" https://github.com/marcospereirampj/python-keycloak/issues/78

the token used by python-keycloak has the preferred_username set to "service-account-{myClientId}" I don't know why

MrSalman333 avatar Oct 06 '20 07:10 MrSalman333

Looking around the issue board i combined some answers and my suggested solution goes as follows :

In the Client -> In Service Account Role open Client Roles and Select realm-management.

The solution to everything but not suggested one is assigning the role manage-realm, Most Admin tasks i found that are covered by manage-clients and manage-users.

Since this is an account and not a user, the user does not need to be specified in the creation of the KeycloakAdmin instance.

dimsamaras avatar Oct 14 '20 17:10 dimsamaras

This is a keycloak admin rest api issue as i see it, I've opened a bug report to check if they can provide a better error description ISSUE

javiertoja avatar Apr 01 '21 11:04 javiertoja

Looking around the issue board i combined some answers and my suggested solution goes as follows :

In the Client -> In Service Account Role open Client Roles and Select realm-management.

The solution to everything but not suggested one is assigning the role manage-realm, Most Admin tasks i found that are covered by manage-clients and manage-users.

Since this is an account and not a user, the user does not need to be specified in the creation of the KeycloakAdmin instance.

Exactly tested this solution, in a custom realm (not master), in the Admin-cli with confidential. Conclusion: you don't have to use the Master realm to use the API

But the correct way of using this API is to: 1- not in a Master Realms 2- new Client, ex: "user management client" 3- in the new Client > Scopes > Client Roles > realm-management >add all the Roles you want 4- create a group - "user manager" - Role Mapping > Client Roles > realm-management >add all the Roles you want 5- add user to group...

And magic happens, you login to your Client App, and use the Token to call the API

tiagopsantos avatar May 05 '21 21:05 tiagopsantos

Hello, I had the permissions for realm-management set correctly but it did not solve the issue. I wanted to share how I solved it hoping that'll help. I had some custom group mappers added to the access token. Removing them from the access token solved it.

TheNamelessWeeb avatar Jun 15 '21 10:06 TheNamelessWeeb

In the exported realm JSON you can add it in clientRoles['realm-management']

{
  "users": [
    {
      "createdTimestamp": 1633496114712,
      "username": "service-account-dev-headless",
      "enabled": true,
      "totp": false,
      "emailVerified": false,
      "serviceAccountClientId": "dev-headless",
      "disableableCredentialTypes": [],
      "requiredActions": [],
      "realmRoles": ["default-roles-webapp"],
      "clientRoles": {
        "realm-management": ["manage-users"]
      },
      "notBefore": 0,
      "groups": []
    }
  ]
}

kachar avatar May 14 '22 12:05 kachar

You saved my time! Thanks for answer.

CenkCamkiran avatar Jun 30 '22 11:06 CenkCamkiran

i get this error intermittently. got an instance of keycloak 20.0.1 running and creating a client like so:

keycloak_admin = KeycloakAdmin(
            server_url=keycloak_endpoint,
            client_id=keycloak_client["client_id"],
            realm_name=keycloak_realm,
            client_secret_key=keycloak_client["client_secret"],
        )

and about 40% of the time i get keycloak.exceptions.KeycloakGetError: 403: b'{"error":"unknown_error"}'

well it works sometimes :D as i understand it, support for the new Quarkus version is being worked on so happy to wait there.

strannik19 avatar Dec 09 '22 11:12 strannik19

I have the same problem Screenshot 2023-10-09 at 16 06 31

Should work but I got the 403 error

Allan-Nava avatar Oct 09 '23 14:10 Allan-Nava

Ensure that the Keycloak client or user account you are using to create the KeycloakAdmin object has the necessary permissions to perform the actions you are trying to execute. In Keycloak, permissions are managed through roles and policies. Review the client's or user's roles and make sure they have sufficient permissions for the actions you want to perform. I think the probleme is there

NdSaid avatar Oct 16 '23 09:10 NdSaid

Ensure that the Keycloak client or user account you are using to create the KeycloakAdmin object has the necessary permissions to perform the actions you are trying to execute. In Keycloak, permissions are managed through roles and policies. Review the client's or user's roles and make sure they have sufficient permissions for the actions you want to perform. I think the probleme is there

is all correct

Allan-Nava avatar Oct 16 '23 10:10 Allan-Nava

I am facing the same issue even though I have assigned the realm-admin role to the client. I'm able to get the token just fine - but when trying to invoke a call to KC getting a 403 with the following error in the response:

{ "error": "unknown_error" }

nbhansali avatar Feb 15 '24 13:02 nbhansali