Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-4130

NullPointerException when disabling Admin Permissions (FGAP) in Realm - GET /users returns 500 [GHI#43331]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      admin/api

      Describe the bug

      When creating a new realm and a client with a service account, the Admin REST API works fine with the default configuration (Admin Permissions = OFF).
      After enabling Admin Permissions (FGAP) and testing again, everything still works.
      However, once Admin Permissions are disabled again (set back to OFF), any call to _/admin/realms/

      {realm}/users/{id}_ fails with a 500 error and unknown_error.

      This persists even after:

      - Clearing realm and user caches from the admin console.
      - Restarting the Keycloak container.

      The error only occurs with Admin Permissions = OFF.


      h3. Version

      26.4.0

      h3. Regression

      [ ] The issue is a regression

      h3. Expected behavior

      Admin REST API calls (e.g., _GET /admin/realms/{realm}

      /users/

      {id}) should continue to work with Admin Permissions = OFF, provided the token includes _manage-users, view-users, etc. roles.

      h3. Actual behavior

      The call returns: 
      {
  "error": "unknown_error",
  "error_description": "For more on this error consult the server log."
}


      Server log shows a NullPointerException in the permissions evaluator:

      2025-10-09 16:26:43,303 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-10) Uncaught server error: java.lang.NullPointerException: Cannot invoke "org.keycloak.authorization.model.Resource.getScopes()" because "resourceTypeResource" is null


      h3. How to Reproduce?

      1. Create a new realm.
      2. Create a confidential client (client_credentials) with a service account.
      3. Assign realm-management roles to the service account (e.g., manage-users, view-users, query-users, query-groups).
      4. With Admin Permissions = OFF → GET /users/{id}

      works.
      5. Enable Admin Permissions = ON → still works.
      6. Disable Admin Permissions = OFF → GET /users/

      {id}

      now fails with 500.
      7. Clear caches and restart container → error persists.

      Anything else?

      • Tested with a clean Docker container.
      • Appears to be a bug triggered when toggling FGAP ON → OFF, leaving null references in the legacy evaluator.
      • With Admin Permissions ON everything works fine.
      • Full logs available if needed.

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core (shared)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: