8000 REST Admin API - ClientsResource response with 200 OK even needed roles are missing · Issue #40192 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
REST Admin API - ClientsResource response with 200 OK even needed roles are missing #40192
New issue
New issue
Closed
#40835
Closed
REST Admin API - ClientsResource response with 200 OK even needed roles are missing#40192
#40835
Assignees
vramik
Labels
area/admin/apikind/bugCategorizes a PR related to a bugpriority/normalrelease/26.4.0team/core-iamteam/core-shared
@AndreVirtimo

Description

@AndreVirtimo
AndreVirtimo
opened on Jun 3, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

The clients resource API endpoint responses with 200 OK even when I'm not allowed to use the API.

The API should behave in a consistent way. This is unexpected behaviour.

Version

26.2.5

Regression

  • The issue is a regression

Expected behavior

I expect a 402 Forbidden as response when the token has no admin-role or the query-clients role.

Actual behavior

When I call with query-users role the REST API on https://SERVER/admin/realms/REALM/clients (GET) I get a status 200 OK with an empty JSON-array "[]" as response.

How to Reproduce?

  • create a user with the role "query-users"
  • get an access token for the user
  • call curl --location 'https://SERVER/admin/realms/REALM/clients' --header 'Authorization: Bearer ACCESS-TOKEN'

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/admin/apikind/bugCategorizes a PR related to a bugpriority/normalrelease/26.4.0team/core-iamteam/core-shared

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0