Admin API always returns 401 #45413

Karuption · 2026-01-13T19:33:31Z

Karuption
Jan 13, 2026

I have been using 26.1.4 inside docker with traefik no problem. I recently had to move to a k8s cluster and am now getting 401 errors on any requests using the admin api. Specifically, to get user information.

I have tried this using the proxy settings, outside the cluster with https, inside the cluster (via a clusterIP service) using http. I have tried setting the hostname with backchannel dynamic, and all the settings that work locally via podman/docker.

Recreate:

Create a new client with all roles and allow for service accounts
Get the service account token with the client secret
Use the token to request user details (/admin/realms/{Realm}/users)

Error:
I enabled just about all error logging I can find at a debug level and get this:

2026-01-13 18:49:10,175 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (vert.x-eventloop-thread-2) Recalculated absoluteURI to http://keycloak-service:8080/admin/realms/Test/users
2026-01-13 18:49:10,175 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-1) new JtaTransactionWrapper. Was existing transaction suspended: false Request Context: HTTP GET /admin/realms/Test/users
2026-01-13 18:49:10,176 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1) Error response Unauthorized: jakarta.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
        at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:192)
        at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:244)
        at org.keycloak.services.resources.admin.AdminRoot$quarkusrestinvoker$getRealmsAdmin_e9e564a2c5fdea05832c9c2326104217661e6d1c.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
        at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
        at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)

2026-01-13 18:49:10,176 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-1) JtaTransactionWrapper rollback. Request Context: HTTP GET /admin/realms/Test/users
2026-01-13 18:49:10,176 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-1) JtaTransactionWrapper end. Request Context: HTTP GET /admin/realms/Test/users

I found this artical that has the issue with the same block of code: https://tech-talk.the-experts.nl/upgrading-to-keycloak-22-0-5-to-dependency-hell-and-back-68b75396563e

I tried updating the container to 26.5.0-0 and still have the same issue.

Answered by Karuption

Jan 14, 2026

Figured this out. Completely self inflicted with config management. envsubst does in fact try to resolve everything with a $ unless you give the cli options to not...

View full answer

Karuption · 2026-01-14T18:01:10Z

Karuption
Jan 14, 2026
Author

When sending it pod -> service, I can get past the block of code if I use the token from my local keycloak instance configured just about the same.

I can't see any logging in this block, but both versions are getting to the catch block here.

    protected AdminAuth authenticateRealmAdminRequest(HttpHeaders headers) {
        String tokenString = AppAuthManager.extractAuthorizationHeaderToken(headers);
        if (tokenString == null) throw new NotAuthorizedException("Bearer");
        AccessToken token;
        try {
            JWSInput input = new JWSInput(tokenString);
            token = input.readJsonContent(AccessToken.class);
        } catch (JWSInputException e) {
            throw new NotAuthorizedException("Bearer token format error");
        }

I am extreamly confused since I am using the same container, basically the same config. I am not accessing it through a proxy. I have set the hostname to be the service and access it within the cluster on http port 8080. I am also importing the same configuration on both for the Test realm. I tried the k8s token on the local keycloak and it fails at the same parsing code block.

Kubernetes Config via env:

    KC_BOOTSTRAP_ADMIN_USERNAME: admin
    KC_BOOTSTRAP_ADMIN_PASSWORD: admin
    KC_HOSTNAME: https://<internally routable dns>
    KC_HTTP_ENABLED: "true"
    KC_HOSTNAME_BACKCHANNEL_DYNAMIC: "true"
    KC_PROXY_HEADERS: xforwarded
    KC_HOSTNAME_STRICT: "false"
    KC_HOSTNAME_STRICT_HTTPS: "false"
    KC_HOSTNAME_DEBUG: "true"
    KC_HEALTH_ENABLED: "true"
    KC_DB_URL_HOST: <db sts>
    KC_DB_USERNAME: postgres
    KC_DB_PASSWORD: admin
    KC_DB: postgres

Docker Compose Config via env:

      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
      - KC_BOOTSTRAP_ADMIN_PASSWORD=admin
      - KC_HOSTNAME=http://keycloak.dev.localhost/
      - KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
      - KC_HOSTNAME_STRICT=false
      - KC_HOSTNAME_STRICT_HTTPS=false
      - KC_HOSTNAME_DEBUG=true
      - KC_HEALTH_ENABLED=true
      - KC_DB_PASSWORD=admin
      - KC_DB_URL_HOST=postgres
      - KC_DB_USERNAME=postgres
      - KC_DB=postgres
      - KC_HTTP_ACCESS_LOG="true"
      - KC_HTTP_ACCESS_PATTERN=long
      - KC_LOG_LEVEL=debug

0 replies

Karuption · 2026-01-14T21:40:39Z

Karuption
Jan 14, 2026
Author

Figured this out. Completely self inflicted with config management. envsubst does in fact try to resolve everything with a $ unless you give the cli options to not...

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Admin API always returns 401 #45413

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Admin API always returns 401 #45413

Uh oh!

Uh oh!

Karuption Jan 13, 2026

Replies: 2 comments

Uh oh!

Karuption Jan 14, 2026 Author

Uh oh!

Karuption Jan 14, 2026 Author

Karuption
Jan 13, 2026

Karuption
Jan 14, 2026
Author

Karuption
Jan 14, 2026
Author