Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-4092

403 Forbidden when assigning realm-management client roles despite FGAP disabled (regression in 26.4.0+) [GHI#44371]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Area

      admin/fine-grained-permissions

      Describe the bug

      In Keycloak 26.4.0 to 26.4.5, the Fine-Grained Admin Permissions (FGAP) code path executes even when FGAP is disabled at both realm and client levels. This causes service accounts with the create-realm role to receive 403 Forbidden errors when attempting to assign realm client roles to users via the Admin REST API.

      This is a regression from 26.3.3, which worked correctly.

      Expected behavior

      Expected behavior
      A service account with the realm roles should be able to assign realm-management client roles (e.g., view-users, manage-users, view-clients) to users when FGAP is disabled.

      Actual behavior

      The operation fails with 403 Forbidden, despite FGAP being disabled.

              Unassigned Unassigned
              vramik@redhat.com Vlasta Ramik
              Keycloak Core IAM
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated: