-
Bug
-
Resolution: Done
-
Undefined
-
None
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
No response
Describe the bug
A scoped manager can no longer open user management page after upgrading to 26.4.1 with error as following:
2025-10-20 02:05:57,366 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1289) Uncaught server error: java.lang.RuntimeExcept ion: Scope with id or name [reset-password] does not exist
at org.keycloak.models.utils.RepresentationToModel.updateScopes(RepresentationToModel.java:1352)
at org.keycloak.models.utils.RepresentationToModel.toModel(RepresentationToModel.java:1301)
at org.keycloak.authorization.admin.PolicyResourceService.update(PolicyResourceService.java:90)
at org.keycloak.authorization.admin.PolicyResourceService$quarkusrestinvoker$update_ed7e12bc348e9cbb7352ac6108901a0eeb12c0ec.invoke(Unknown So
urce)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:
183)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
I suspect there are some issue on migration process that fail to create reset-password scope in database. I tried granting reset-password perimission and the error log suggests Scope with id or name [reset-password] does not exist. Here is the detail log:
2025-10-20 02:22:16,018 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1306) Uncaught server error: java.lang.RuntimeException: Scope with id or name [reset-password] does not exist
at org.keycloak.models.utils.RepresentationToModel.updateScopes(RepresentationToModel.java:1352)
at org.keycloak.models.utils.RepresentationToModel.toModel(RepresentationToModel.java:1301)
at org.keycloak.authorization.admin.PolicyResourceService.update(PolicyResourceService.java:90)
at org.keycloak.authorization.admin.PolicyResourceService$quarkusrestinvoker$update_ed7e12bc348e9cbb7352ac6108901a0eeb12c0ec.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
Version
26.4.1
Regression
[x] The issue is a regression
Expected behavior
Open management page for specific account:
<img width="508" height="371" alt="Image" src="https://github.com/user-attachments/assets/08f49cac-531c-4fb7-9df1-112b72329ae8" />t
Actual behavior
Cannot open page. In log it suggests Scope 'reset-password' is not defined for resource type 'Users'.
<img width="367" height="123" alt="Image" src="https://github.com/user-attachments/assets/f8f71afd-8d5d-46ec-b07b-12107e3c7120" />
2025-10-20 02:26:08,335 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1311) Uncaught server error: org.keycloak.models.ModelIllegalStateException: Scope 'reset-password' is not defined for resource type 'Users'
at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.lambda$hasPermission$1(FineGrainedAdminPermissionEvaluator.java:106)
at java.base/java.util.Optional.orElseThrow(Optional.java:403)
at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.hasPermission(FineGrainedAdminPermissionEvaluator.java:106)
at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.hasPermission(FineGrainedAdminPermissionEvaluator.java:71)
at org.keycloak.services.resources.admin.fgap.UserPermissionsV2.canResetPassword(UserPermissionsV2.java:157)
at org.keycloak.services.resources.admin.fgap.UserPermissions.getAccess(UserPermissions.java:437)
at org.keycloak.services.resources.admin.UserResource.getUser(UserResource.java:359)
at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$getUser_c905e0bb512ebf5abf25843bdcaec6b073f8e01e.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:1583)
How to Reproduce?
Might be just upgrade from 26.3?
Anything else?
No response
- links to
