Closed ryan-lake closed 1 month ago
Hi @ryan-lake
Keycloak 4.1.0 comes with a behavioral change in KeycloakAdmin. Upon KeyclokAdmin's initialization, we no longer fetch the access + refresh token, that is something that happens upon the first API request (get_client_id in your case). Unfortunately in your case, you change the realm before that call happens, meaning the credentials are going to be fetched from internal_admin_realm
instead of master
realm, so you get a 401.
A quick fix for you is to add keycloak_master_admin.connection.get_token()
call before the change_current_realm.
However, I overall just do not like this behavior (that changing the realm gets you into 401/403 state). It does mean that refresh token won't work either as the realm is changed, so you'll after some time reach 401 later anyway unless changed back to the master realm.
We overall need a better handling of changing realms, such that it keeps the same realm for credentials fetch and refresh.
Thank you for the reply, that makes sense.
This started with 4.1.0.
The code
The call to get_client_id fails to authenticate with keycloak, getting a 401. The calls before this (the creation of the admin client and the realm change succeed without error).
In 4.0.1 and before this code runs fine. Keycloak only shows an unknown user failed authentication.