keycloak: HTTP 401 Unauthorized while trying to create a user
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
account/api
Describe the bug
The token I am using has these roles:
"resource_access": {
"realm-management": {
"roles": [
"view-identity-providers",
"view-realm",
"manage-identity-providers",
"impersonation",
"realm-admin",
"create-client",
"manage-users",
"query-realms",
"view-authorization",
"query-clients",
"query-users",
"manage-events",
"manage-realm",
"view-events",
"view-users",
"view-clients",
"manage-authorization",
"manage-clients",
"query-groups"
]
},
endpoint: admin/realms/myrealm/users
curl -X POST 'http://localhost:8180/admin/realms/myrealm/users' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d '{
"username": "test-user",
"email": "test-user@test.com",
"enabled": true,
"emailVerified": true
}'
```json
{
"error": "HTTP 401 Unauthorized"
}
### Version
22.0.3
### Expected behavior
To actually create the user
### Actual behavior
Unauthorized even though the client has all the required roles
### How to Reproduce?
See description
### Anything else?
_No response_About this issue
- Original URL
- State: closed
- Created 8 months ago
- Comments: 19 (8 by maintainers)
@sschu I tried to hack the DNS name via the /etc/hosts, and it seems that if I hit Keycloak with the Kubernetes service name it works. I also tried to deploy a gateway in front of it to make sure that it will maintain the correct DNS.
Thanks a lot for the help!!
Yes, that won’t work. Do you have different hostname/reverse proxy in front of Keycloak and use its URL to retrieve the token? In general, you should use the same address for retrieving the token and accessing the api. If you are in dev mode, Keycloak will accept any
Hostheader so you could also just addHost: mykeycloak-service.keycloakto the curl request you are sending.