Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14598

Client Roles / Realm Roles can not be added to group via Admin-API role-mapping endpoints

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Explained
    • Affects Version/s: 10.0.2
    • Fix Version/s: None
    • Component/s: Admin - REST API
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • create a group and a client-level or realm level Role
      • Try to add said role to the group through API with role-mapping endpoints

       

      Here is an example :

       

      curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/groups/40c6fe7a-9ed3-47c5-9f19-f243bbd2e3e0/role-mappings/clients/4777b0f9-a749-40e9-9a89-d00a65cb4ee3/available" \-H "Accept: application/json" \-H "Authorization: Bearer $TKN" | jq .
      
      curl -X POST "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/groups/40c6fe7a-9ed3-47c5-9f19-f243bbd2e3e0/role-mappings/clients/4777b0f9-a749-40e9-9a89-d00a65cb4ee3" \-d '{"roles":[{"name":"member_mongroupe","id":"9d7d7500-1930-4337-9bc9-fbadf6e2b9e1"}]}' \-H "Content-Type: application/json" \-H "Accept: application/json" \-H "Authorization: Bearer $TKN" | jq .
      

      result is the following :

       

        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   644  100   644    0     0   125k      0 --:--:-- --:--:-- --:--:--  125k
      [
        {
          "id": "a703e373-b7a4-400d-b9d8-5c817d249417",
          "name": "admin_mongroupe",
          "composite": false,
          "clientRole": true,
          "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3"
        },
        {
          "id": "4ff6abb0-f957-4475-a06d-cb589250b93a",
          "name": "uma_protection",
          "composite": false,
          "clientRole": true,
          "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3"
        },
        {
          "id": "9d7d7500-1930-4337-9bc9-fbadf6e2b9e1",
          "name": "member_mongroupe",
          "composite": false,
          "clientRole": true,
          "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3"
        },
        {
          "id": "750726a8-e1ab-46cd-ac2b-5d066260bfe9",
          "name": "animator_mongroupe",
          "composite": false,
          "clientRole": true,
          "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3"
        }
      ]
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100   107  100    25  100    82   3125  10250 --:--:-- --:--:-- --:--:-- 13375
      {
        "error": "unknown_error"
      }
      
      Show
      create a group and a client-level or realm level Role Try to add said role to the group through API with role-mapping endpoints   Here is an example :   curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/groups/40c6fe7a-9ed3-47c5-9f19-f243bbd2e3e0/role-mappings/clients/4777b0f9-a749-40e9-9a89-d00a65cb4ee3/available" \-H "Accept: application/json" \-H "Authorization: Bearer $TKN" | jq . curl -X POST "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/groups/40c6fe7a-9ed3-47c5-9f19-f243bbd2e3e0/role-mappings/clients/4777b0f9-a749-40e9-9a89-d00a65cb4ee3" \-d '{"roles":[{"name":"member_mongroupe","id":"9d7d7500-1930-4337-9bc9-fbadf6e2b9e1"}]}' \-H "Content-Type: application/json" \-H "Accept: application/json" \-H "Authorization: Bearer $TKN" | jq . result is the following :   % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 644 100 644 0 0 125k 0 --:--:-- --:--:-- --:--:-- 125k [ { "id": "a703e373-b7a4-400d-b9d8-5c817d249417", "name": "admin_mongroupe", "composite": false, "clientRole": true, "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3" }, { "id": "4ff6abb0-f957-4475-a06d-cb589250b93a", "name": "uma_protection", "composite": false, "clientRole": true, "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3" }, { "id": "9d7d7500-1930-4337-9bc9-fbadf6e2b9e1", "name": "member_mongroupe", "composite": false, "clientRole": true, "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3" }, { "id": "750726a8-e1ab-46cd-ac2b-5d066260bfe9", "name": "animator_mongroupe", "composite": false, "clientRole": true, "containerId": "4777b0f9-a749-40e9-9a89-d00a65cb4ee3" } ] % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 107 100 25 100 82 3125 10250 --:--:-- --:--:-- --:--:-- 13375 { "error": "unknown_error" }
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      I'm trying to add client Roles to a group using this API endpoint :

       
      POST /{realm}/groups/{id}/role-mappings/clients/{client}
       
      In request body, I send {"roles":[

      {"name":"...", "id":"..."}

      ]}
       
      It fails with the following return :

      {"error": "unknown_error"}

      In server logs :

      09:43:56,150 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-18) Uncaught server error: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.util.ArrayList<org.keycloak.representations.idm.RoleRepresentation>` out of START_OBJECT token

      I have the same kind of errors with realm level roles (POST /{realm}/groups/{id}/role-mappings/realm)

       

      For information, I have no problem when creating my groups and client-level roles through the API.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor Silva
                Reporter:
                eole-team Eole Team
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: