Improve Keycloak Admin REST API documentation #8898

tnorimat · 2021-11-24T09:39:16Z

tnorimat
Nov 24, 2021
Collaborator

This topic has already been treated by KEYCLOAK-6662.

The aim of this discussion is to document Admin REST API in OpenAPI.
Its motivation is that it makes easy for keycloak administrator to test and manage their keycloak.

As for Account REST API, there are some JIRA ticket(KEYCLOAK-9655, KEYCLOAK-14744) and corresponding project(keycloak-rest-api-description)).

To follow this project, Admin REST APIs are also documented by OpenAPI.
I'm not sure adding Admin REST APIs' documentation is added to existing project, or create its new project.

What do you think about this idea? I am willing to work on it if this idea can is accepted by keycloak community.

abstractj · 2021-12-22T15:29:53Z

abstractj
Dec 22, 2021
Maintainer

@tnorimat Hi Takashi, long time ago, we had a discussion about this and the initial idea was to create the Open API descriptors first and generate our HTML documentation, and the API code. It's been a while since it was created, and I believe it's a good idea to revisit and check if we have a better approach.

I think it's a good idea, and I would love to hear more about what you have in mind.

0 replies

tnorimat · 2021-12-23T09:09:55Z

tnorimat
Dec 23, 2021
Collaborator Author

Hello @abstractj , there is the similar discussion. In this discussion, generating OpenAPI documentation from codes automatically (ex. by using some annotations) has been suggested.

The advantage of this way is to generate OpenAPI documentation automatically so that this documentation comply with actual codes completely. Also this way can remove costs for maintaining OpenAPI documentation that may arise if we make these documentation manually.

IMO, this way is reasonable, but I've not yet found how to realize this way. I've now investigating Smallrye OpenAPI extension.
WDYT?

1 reply

ericmorand Mar 3, 2026

I think this is an anti-pattern. It basically says "the code is not written against the specification; the specification is inferred from the code". The consequences are immediately obvious: since the code is the source of truth, there is no way to actually detect breaking changes since, with this pattern, tests are written in order to satisfy the code, instead of being written to satisfy some expectations - the specification.

You will end up making some changes to the code, which will in turn change the specification, letting us all at the mercy of a breaking change in the specification that nobody is able to detect.

abstractj · 2021-12-23T11:29:50Z

abstractj
Dec 23, 2021
Maintainer

@tnorimat let's move the conversation to #8899, so we have things in a single place.

0 replies

hannmtz85 · 2024-09-27T10:36:13Z

hannmtz85
Sep 27, 2024

Hello

I am trying to add a new attribute to a user profile of a certain realm, for this I am using the following request:

PUT {{baseUrl}}/admin/reamls/{{realm}}/users/profile
Authorization: Bearer {{access_token}}
Content-Type: application/json

{
    "UPConfig": {...}
}

And this operation is returning me 405 Method not allowed

what can I be doing wrong?
Is that endpoint available?

1 reply

danielFesenmeyer Sep 30, 2024

This looks correct, except that you wrote reamls instead of realms.
The endpoint should be available, as documented here: https://www.keycloak.org/docs-api/latest/rest-api/index.html#_users:~:text=PUT%20/admin/realms/%7Brealm%7D/users/profile

And that the body is incorrect, because the UPConfig attributes should be directly set at root level, there is no intermediate "UPConfig" element. But that should not lead to the 405 error.

Maybe you can try whether the corresponding GET endpoint works?

ch4mpy · 2024-11-16T00:14:20Z

ch4mpy
Nov 16, 2024

Hi there,

When generating some code from the OpenAPI spec, I get the following:

[ERROR]
org.openapitools.codegen.SpecValidationException: There were issues with the specification. The option can be disabled via validateSpec (Maven/Gradle) or --skip-validate-spec (CLI).
 | Error count: 2, Warning count: 9
Errors: 
        -attribute components.schemas.ClientPolicyConditionRepresentation.items is missing
        -attribute components.schemas.ClientPolicyExecutorRepresentation.items is missing
Warnings: 
        -attribute components.schemas.ClientPolicyConditionRepresentation.items is missing
        -attribute components.schemas.ClientPolicyExecutorRepresentation.items is missing

The same errors are displayed in OpenAPI specifications validation tools like https://editor.swagger.io/

I can work around that by disabling the spec validation when generating the client code, and as the two Representations above are not used on the endpoints I call, I have no error at runtime.

So I have two questions:

is it planned to publish a valid OpenAPI spec? I mean one with the two attributes above.
in a future major version, is it planned to remove the need for a body on the few DELETE endpoints currently requiring one? This is an error reported by validation tools, based on the following spec statement: "A client SHOULD NOT generate content in a DELETE request". The URI of the resource to delete should be enough.

0 replies

ArieGato · 2025-03-13T19:38:24Z

ArieGato
Mar 13, 2025

Hi,

Would it be possible to add operationId field to all operations? This can dramatically improve the quality of the generated code by tools like nswag.

Cheers

2 replies

klahap Apr 22, 2025

Hi,

I've added the operationId field to all operations — that should definitely help with tools like NSwag or OpenApi Generator. You can check out the changes here: #39011.

Cheers,
Klaus

ArieGato Apr 22, 2025

That's really great! Thnx!

ArieGato · 2025-03-13T21:07:15Z

ArieGato
Mar 13, 2025

And where can I mention any issues I encounter using the openapi document? For instance adding a user returns a 201 status, but the openapi document describes 200.

0 replies

tcelestino · 2025-07-16T12:52:26Z

tcelestino
Jul 16, 2025

I didn't catch the info about headers in OpenAPI documents. Is there possibility to add the header's info in the .yml and . json files?

0 replies

Odraio · 2025-10-31T12:35:59Z

Odraio
Oct 31, 2025

Is it possible to define optional parameters in the OpenAPI specification? Currently, when generating a C# client, many parameters are required by default, which can be cumbersome when only a subset is needed. For example, retrieving user information by username and realm often requires setting numerous other parameters to null.

            var userInfo = await keycloakClient.UsersAll3Async(
                briefRepresentation: null,
                email: null,
                emailVerified: null,
                enabled: null,
                exact: null,
                first: null,
                firstName: null,
                idpAlias: null,
                idpUserId: null,
                lastName: null,
                max: null,
                q: null,
                search: null,
                realm: "myrealm",
               username: "username"
            );

In addition, are the OpenAPI definitions available at https://www.keycloak.org/docs-api/latest/rest-api/index.html still in Preview status? When is an official version of these definitions expected to be released?

1 reply

DAHAG-ArisNourbakhsh Nov 3, 2025

You got it backwards. Parameters are by default optional unless marked required which for the endpoint you are showing only realm is required. Whatever tooling you are using to generate the client is not spec compliant or you are misreading the C# method signature.

We are currently using Kiota and it manages to generate that endpoint so that only realm is required. Also I'm not completely firm on my memory but before, when we used the official openapi generator, it also properly generated the calls without requiring all these optional parameters.

Improve Keycloak Admin REST API documentation #8898

Uh oh!

tnorimat Nov 24, 2021 Collaborator

Replies: 9 comments · 5 replies

Uh oh!

abstractj Dec 22, 2021 Maintainer

Uh oh!

tnorimat Dec 23, 2021 Collaborator Author

Uh oh!

Uh oh!

abstractj Dec 23, 2021 Maintainer

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

tnorimat
Nov 24, 2021
Collaborator

Replies: 9 comments 5 replies

abstractj
Dec 22, 2021
Maintainer

tnorimat
Dec 23, 2021
Collaborator Author

abstractj
Dec 23, 2021
Maintainer