-
Bug
-
Resolution: Done
-
Undefined
-
None
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/fine-grained-permissions
Describe the bug
Description
In Keycloak 26.4.0 & 26.4.1, the Fine-Grained Admin Permissions (FGAP) code path executes even when FGAP is disabled at both realm and client levels. This causes service accounts with the realm-admin role to receive 403 Forbidden errors when attempting to assign realm-management client roles to groups via the Admin REST API.
This is a regression from 26.3.5, which worked correctly.
Environment
- Keycloak Version: 26.4.0 and 26.4.1
- Deployment: Kubernetes
- Working Version: 26.3.5
Version
26.4.1
Regression
[x] The issue is a regression
Expected behavior
A service account with the realm-admin composite role should be able to assign realm-management client roles (e.g., view-users, manage-users, view-clients) to groups when FGAP is disabled.
Actual behavior
The operation fails with 403 Forbidden and the error originates from RolePermissions.requireMapRole() in the FGAP code path, despite FGAP being disabled.
How to Reproduce?
1. Create a realm with FGAP disabled (adminPermissionsEnabled: false)
1. Create a service account client and assign it the realm-admin role from the realm-management client
1. Obtain an access token for the service account
1. Attempt to assign realm-management client roles to a group via REST API:
POST /admin/realms/
/groups/
{group-id}/role-mappings/clients/
{realm-management-client-id}Authorization: Bearer
{token}Content-Type: application/json
[
{"id": "
{role-id}", "name": "view-users"},{"id": "{role-id}
", "name": "manage-users"}
]
1. Observe 403 Forbidden error
Anything else?
Configuration Details
Realm FGAP Status:
{
"realm": "my-realm",
"adminPermissionsEnabled": false,
"userManagedAccessAllowed": false
}
Realm-Management Client FGAP Status:
{
"error": "Feature not enabled",
"error_description": "For more on this error consult the server log."
}
Service Account Roles:
[
{
"id": "db96dcd7-7322-4e63-a45d-f3cb79d2735f",
"name": "realm-admin",
"description": "${role_realm-admin}",
"composite": true,
"clientRole": true,
"containerId": "910f78e7-980f-4072-8e80-a9bbbf9c5ca2"
}
]
Stack Trace
{
"timestamp": "2025-10-17T13:19:36.878298787Z",
"loggerName": "org.keycloak.services.error.KeycloakErrorHandler",
"level": "DEBUG",
"message": "Error response Forbidden",
"exception": {
"exceptionType": "jakarta.ws.rs.ForbiddenException",
"message": "HTTP 403 Forbidden",
"frames": [
,
{"class": "org.keycloak.services.resources.admin.ClientRoleMappingsResource", "method": "addClientRoleMapping", "line": 175} ]
}
}
Additional Context
- This affects both direct client role assignments and composite roles containing client roles
- The same operation works successfully via the Keycloak Admin Console UI with master realm user
- This appears to be a regression introduced between 26.3.5 and 26.4.0
Impact
This blocks automation tools from managing realm-management role assignments using service accounts, forcing manual intervention through the Admin Console.
- links to
