Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-17243

[REL] REST API call PUT /{realm}/users/{id} rejects selective/partial user representation updates

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2
    • Fix Version/s: 12.0.4
    • Component/s: Admin - REST API
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      [user@host $] curl -X POST '[http://localhost:8081/auth/realms/master/protocol/openid-connect/token'] \
      -H 'Content-Type: application/x-www-form-urlencoded' \
      -d 'grant_type=password' \
      -d 'client_id=' \
      -d 'client_secret=*****' \
      -d 'username=admin' \
      -d 'password=*****'
      
      [user@host $] curl -X POST '[http://localhost:8081/auth/admin/realms/apa/users'] \
      -H 'Authorization: Bearer XXX' \
      --data-binary '
      {"username":"nobody","firstName":"nobody","enabled":true,"credentials":[{"type":"password","value":"*****"}]}'
      
      [user@host $] curl -X PUT '[http://localhost:8081/auth/admin/realms/apa/users/f949d744-c96d-4d81-9ac4-3b9033b2bab6]' \
      -H 'Authorization: Bearer XXX' \
      --data-binary '{"email":"nobody@nowhere.at"}'
      

      ERROR Keycloak returned: 400 Bad Request

      {"errorMessage":"Could not update user! See server log for more details"}

      In the server logs you will find the following lines:

      2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'LDAP_ENTRY_DN' of user 'nobody'
      2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'LDAP_ID' of user 'nobody'
      2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'createTimestamp' of user 'nobody'
      2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'modifyTimestamp' of user 'nobody'
      2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute LDAP_ENTRY_DN: updateReadOnlyAttributesRejectedMessage,
      2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute LDAP_ID: updateReadOnlyAttributesRejectedMessage,
      2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute createTimestamp: updateReadOnlyAttributesRejectedMessage,
      2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage,
      Show
      [user@host $] curl -X POST '[http://localhost:8081/auth/realms/master/protocol/openid-connect/token' ] \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=password' \ -d 'client_id=' \ -d 'client_secret=*****' \ -d 'username=admin' \ -d 'password=*****' [user@host $] curl -X POST '[http://localhost:8081/auth/admin/realms/apa/users' ] \ -H 'Authorization: Bearer XXX' \ --data-binary ' { "username" : "nobody" , "firstName" : "nobody" , "enabled" :true, "credentials" :[{ "type" : "password" , "value" : "*****" }]}' [user@host $] curl -X PUT '[http://localhost:8081/auth/admin/realms/apa/users/f949d744-c96d-4d81-9ac4-3b9033b2bab6]' \ -H 'Authorization: Bearer XXX' \ --data-binary '{ "email" : "nobody@nowhere.at" }' ERROR Keycloak returned: 400 Bad Request { "errorMessage":"Could not update user! See server log for more details" } In the server logs you will find the following lines: 2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'LDAP_ENTRY_DN' of user 'nobody' 2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'LDAP_ID' of user 'nobody' 2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'createTimestamp' of user 'nobody' 2021-02-10 16:05:36,048 WARN [org.keycloak.userprofile.validation.StaticValidators] (default task-5) Attempt to edit denied attribute 'modifyTimestamp' of user 'nobody' 2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute LDAP_ENTRY_DN: updateReadOnlyAttributesRejectedMessage, 2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute LDAP_ID: updateReadOnlyAttributesRejectedMessage, 2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute createTimestamp: updateReadOnlyAttributesRejectedMessage, 2021-02-10 16:05:36,049 WARN [org.keycloak.services.resources.admin.UserResource] (default task-5) Failed to update attribute modifyTimestamp: updateReadOnlyAttributesRejectedMessage,
    • Affects:
      Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Send the whole user representation with updates where intended.

      Show
      Send the whole user representation with updates where intended.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Since KC 12.0.0, if you want to modify any user attribute, e.g. the e-Mail address, using the REST API, you need to send the whole user representation in the PUT request. Before KEYCLOAK-16468 (see also github.com/keycloak/commit/a602a80), or KC 12.0.0 respectively, even if not documented, partial user representation upates were allowed (e.g. refer to KEYCLOAK-2218). So, you may argument that formerly the PUT request was neither properly documented nor properly implemented, as per definition partial updates are rather a PATCH request than a PUT, this seems to me to a breaking change, which has unfortunately not been communicated neither in the release notes nor in any other document.

      Or am I missing something?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pcraveiro Pedro Igor Silva
              Reporter:
              apateczechmeister Christopher Zechmeister
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: