KeycloakAdmin - Gives 403: b'{"error":"unknown_error"} for everything.

[MohiuddinSumon]

Hi I am trying to use keycloakAdmin. I can create a KeycloakAdmin object. But anything and everything on that object gives me this :

in raise_error_from_response raise error(error_message=message, keycloak.exceptions.KeycloakGetError: 403: b'{"error":"unknown_error"}'

Let me know what can I do ,

Update: it was because user didn't have appropriate permissions. if you face 403 check for permissions. keycloak doesn't give proper error response

[MrSalman333]

same here,

going to make calls manually using the rest API ,

this will allow me to cash the tokens and be a bit more efficient ,,

but if the package was working currently it would have made my work easier ,

this can help you "didn't work for me" https://github.com/marcospereirampj/python-keycloak/issues/78

the token used by python-keycloak has the preferred_username set to "service-account-{myClientId}" I don't know why

[dimsamaras]

Looking around the issue board i combined some answers and my suggested solution goes as follows :

In the Client -> In Service Account Role open Client Roles and Select realm-management.

The solution to everything but not suggested one is assigning the role manage-realm, Most Admin tasks i found that are covered by manage-clients and manage-users.

Since this is an account and not a user, the user does not need to be specified in the creation of the KeycloakAdmin instance.

[javiertoja]

This is a keycloak admin rest api issue as i see it, I've opened a bug report to check if they can provide a better error description ISSUE

[tiagopsantos]

Looking around the issue board i combined some answers and my suggested solution goes as follows :

In the Client -> In Service Account Role open Client Roles and Select realm-management.

The solution to everything but not suggested one is assigning the role manage-realm, Most Admin tasks i found that are covered by manage-clients and manage-users.

Since this is an account and not a user, the user does not need to be specified in the creation of the KeycloakAdmin instance.

Exactly tested this solution, in a custom realm (not master), in the Admin-cli with confidential. Conclusion: you don't have to use the Master realm to use the API

But the correct way of using this API is to: 1- not in a Master Realms 2- new Client, ex: "user management client" 3- in the new Client > Scopes > Client Roles > realm-management >add all the Roles you want 4- create a group - "user manager" - Role Mapping > Client Roles > realm-management >add all the Roles you want 5- add user to group...

And magic happens, you login to your Client App, and use the Token to call the API

[TheNamelessWeeb]

Hello, I had the permissions for realm-management set correctly but it did not solve the issue. I wanted to share how I solved it hoping that'll help. I had some custom group mappers added to the access token. Removing them from the access token solved it.

[kachar]

In the exported realm JSON you can add it in clientRoles['realm-management']

{
  "users": [
    {
      "createdTimestamp": 1633496114712,
      "username": "service-account-dev-headless",
      "enabled": true,
      "totp": false,
      "emailVerified": false,
      "serviceAccountClientId": "dev-headless",
      "disableableCredentialTypes": [],
      "requiredActions": [],
      "realmRoles": ["default-roles-webapp"],
      "clientRoles": {
        "realm-management": ["manage-users"]
      },
      "notBefore": 0,
      "groups": []
    }
  ]
}

[CenkCamkiran]

You saved my time! Thanks for answer.

[strannik19]

i get this error intermittently. got an instance of keycloak 20.0.1 running and creating a client like so:

keycloak_admin = KeycloakAdmin(
            server_url=keycloak_endpoint,
            client_id=keycloak_client["client_id"],
            realm_name=keycloak_realm,
            client_secret_key=keycloak_client["client_secret"],
        )

and about 40% of the time i get keycloak.exceptions.KeycloakGetError: 403: b'{"error":"unknown_error"}'

well it works sometimes :D as i understand it, support for the new Quarkus version is being worked on so happy to wait there.

[Allan-Nava]

I have the same problem

Should work but I got the 403 error

[NdSaid]

Ensure that the Keycloak client or user account you are using to create the KeycloakAdmin object has the necessary permissions to perform the actions you are trying to execute. In Keycloak, permissions are managed through roles and policies. Review the client's or user's roles and make sure they have sufficient permissions for the actions you want to perform. I think the probleme is there

[Allan-Nava]

Ensure that the Keycloak client or user account you are using to create the KeycloakAdmin object has the necessary permissions to perform the actions you are trying to execute. In Keycloak, permissions are managed through roles and policies. Review the client's or user's roles and make sure they have sufficient permissions for the actions you want to perform. I think the probleme is there

is all correct

[nbhansali]

I am facing the same issue even though I have assigned the realm-admin role to the client. I'm able to get the token just fine - but when trying to invoke a call to KC getting a 403 with the following error in the response:

{ "error": "unknown_error" }

[gary-Shen]

Well, in my case. I got 403 unkown_error when i called the admin logout api. When using the KeycloakAdmin module (from python-keycloak), you need to assign manage-users and manage-clients roles to the admin user. Follow these steps:

1. Click Users.
2. Search for the user by username.
3. Click Role mapping, then select Filter by clients and choose manage-users and manage-clients.
4. Done.

Hope this helps everyone.