keycloak/keycloak

Not getting detailed error_description in response body when creating a user with /admin/realms/{realm}/partialImport endpoint having an invalid password.

Open

Aperta il 27 apr 2026

Vedi su GitHub
 (1 commento) (1 reazione) (2 assegnatari)Java (34.398 star) (8346 fork)batch import
area/authenticationarea/import-exporthelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-authnteam/core-shared

Descrizione

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

import-export

Describe the bug

We are using /admin/realms/{realm}/partialImport endpoint to create users. If a user has an invalid password, based on the password policy, the endpoint returns 500 Internal Server error with body:

{
    "error": "unknown_error",
    "error_description": "For more on this error consult the server log."
}

We are currently using keycloak version 26.4.0. Previously we were on version 26.2.4 and the response body for the aforementioned case was:

{
    "error": "unknown_error",
    "error_description": "invalidPasswordMinLengthMessage"
}

The "error_description" had a specific password error. In both versions, in logs, the exception is raised. But there is a difference in response body, due to a difference in error handler: https://github.com/keycloak/keycloak/blob/26.2.4/services/src/main/java/org/keycloak/services/error/KeycloakErrorHandler.java#L94 https://github.com/keycloak/keycloak/blob/26.4.2/services/src/main/java/org/keycloak/services/error/KeycloakErrorHandler.java#L94

2026-04-27T09:55:50.558898402Z 2026-04-27 09:55:50,558 ERROR [org.keycloak.services] (executor-thread-69) KC-SERVICES0037: Error creating testuser1: org.keycloak.policy.PasswordPolicyNotMetException: invalidPasswordMaxLengthMessage
                               	at org.keycloak.models.utils.RepresentationToModel.createCredentials(RepresentationToModel.java:792)
                               	at org.keycloak.storage.datastore.DefaultExportImportManager.createUser(DefaultExportImportManager.java:996)
                               	at org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:754)
                               	at org.keycloak.partialimport.UsersPartialImport.create(UsersPartialImport.java:116)
                               	at org.keycloak.partialimport.UsersPartialImport.create(UsersPartialImport.java:38)
                               	at org.keycloak.partialimport.AbstractPartialImport.doImport(AbstractPartialImport.java:119)
                               	at org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:63)
                               	at org.keycloak.services.managers.RealmManagerProviderFactory.lambda$postInit$0(RealmManagerProviderFactory.java:59)
                               	at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:87)
                               	at org.keycloak.storage.PartialImportRealmFromRepresentationEvent.fire(PartialImportRealmFromRepresentationEvent.java:53)
                               	at org.keycloak.storage.datastore.DefaultExportImportManager.partialImportRealm(DefaultExportImportManager.java:523)
                               	at org.keycloak.services.resources.admin.RealmAdminResource.getPartialImportResults(RealmAdminResource.java:1320)
                               	at org.keycloak.services.resources.admin.RealmAdminResource.lambda$partialImport$4(RealmAdminResource.java:1310)
                               	at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithResult(KeycloakModelUtils.java:461)
                               	at org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:1306)
                               	at org.keycloak.services.resources.admin.RealmAdminResource$quarkusrestinvoker$partialImport_306ec9c64c3f4046458d9b2d9df956a7c1e1f7a9.invoke(Unknown Source)
                               	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
                               	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
                               	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
                               	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
                               	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
                               	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
                               	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
                               	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
                               	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
                               	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
                               	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
                               	at java.base/java.lang.Thread.run(Thread.java:1583)
                               Caused by: org.keycloak.models.ModelException: invalidPasswordMaxLengthMessage
                               	at org.keycloak.credential.PasswordCredentialProvider.createCredential(PasswordCredentialProvider.java:90)
                               	at org.keycloak.credential.PasswordCredentialProvider.updateCredential(PasswordCredentialProvider.java:189)
                               	at org.keycloak.credential.UserCredentialManager.lambda$updateCredential$2(UserCredentialManager.java:98)
                               	at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
                               	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
                               	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
                               	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
                               	at java.base/java.util.HashMap$ValueSpliterator.tryAdvance(HashMap.java:1808)
                               	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
                               	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
                               	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
                               	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
                               	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
                               	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
                               	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
                               	at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:632)
                               	at org.keycloak.credential.UserCredentialManager.updateCredential(UserCredentialManager.java:98)
                               	at org.keycloak.models.utils.RepresentationToModel.createCredentials(RepresentationToModel.java:790)
                               	... 27 more
                               
                               2026-04-27 09:55:50,563 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-69) Uncaught server error: org.keycloak.policy.PasswordPolicyNotMetException: invalidPasswordMaxLengthMessage
                               	at org.keycloak.models.utils.RepresentationToModel.createCredentials(RepresentationToModel.java:792)
                               	at org.keycloak.storage.datastore.DefaultExportImportManager.createUser(DefaultExportImportManager.java:996)
                               	at org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:754)
                               	at org.keycloak.partialimport.UsersPartialImport.create(UsersPartialImport.java:116)
                               	at org.keycloak.partialimport.UsersPartialImport.create(UsersPartialImport.java:38)
                               	at org.keycloak.partialimport.AbstractPartialImport.doImport(AbstractPartialImport.java:119)
                               	at org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:63)
                               	at org.keycloak.services.managers.RealmManagerProviderFactory.lambda$postInit$0(RealmManagerProviderFactory.java:59)
                               	at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:87)
                               	at org.keycloak.storage.PartialImportRealmFromRepresentationEvent.fire(PartialImportRealmFromRepresentationEvent.java:53)
                               	at org.keycloak.storage.datastore.DefaultExportImportManager.partialImportRealm(DefaultExportImportManager.java:523)
                               	at org.keycloak.services.resources.admin.RealmAdminResource.getPartialImportResults(RealmAdminResource.java:1320)
                               	at org.keycloak.services.resources.admin.RealmAdminResource.lambda$partialImport$4(RealmAdminResource.java:1310)
                               	at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithResult(KeycloakModelUtils.java:461)
                               	at org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:1306)
                               	at org.keycloak.services.resources.admin.RealmAdminResource$quarkusrestinvoker$partialImport_306ec9c64c3f4046458d9b2d9df956a7c1e1f7a9.invoke(Unknown Source)
                               	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
                               	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
                               	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
                               	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
                               	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
                               	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
                               	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
                               	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
                               	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
                               	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
                               	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
                               	at java.base/java.lang.Thread.run(Thread.java:1583)
                               Caused by: org.keycloak.models.ModelException: invalidPasswordMaxLengthMessage
                               	at org.keycloak.credential.PasswordCredentialProvider.createCredential(PasswordCredentialProvider.java:90)
                               	at org.keycloak.credential.PasswordCredentialProvider.updateCredential(PasswordCredentialProvider.java:189)
                               	at org.keycloak.credential.UserCredentialManager.lambda$updateCredential$2(UserCredentialManager.java:98)
                               	at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
                               	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
                               	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
                               	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
                               	at java.base/java.util.HashMap$ValueSpliterator.tryAdvance(HashMap.java:1808)
                               	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
                               	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
                               	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
                               	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
                               	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
                               	at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
                               	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
                               	at java.base/java.util.stream.ReferencePipeline.anyMatch(ReferencePipeline.java:632)
                               	at org.keycloak.credential.UserCredentialManager.updateCredential(UserCredentialManager.java:98)
                               	at org.keycloak.models.utils.RepresentationToModel.createCredentials(RepresentationToModel.java:790)
                               	... 27 more

Version

26.4.0

Regression

  • The issue is a regression

Expected behavior

The endpoint /admin/realms/{realm}/partialImport, when creating a user with an invalid password, returns 500 Internal Server error with response body with detailed error_description.

Actual behavior

The endpoint /admin/realms/{realm}/partialImport, when creating a user with an invalid password, returns 500 Internal Server error with response body with generic error_description.

How to Reproduce?

Test the endpoint /admin/realms/{realm}/partialImport, with a user having a password that does not conform to the password policy defined.

Anything else?

No response

Guida contributor

Tech stack
java
Dominio
backendapiauthentication
Tipo issue
bug
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
2
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
1-3 hours
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
active
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
clear
Prerequisiti
JavaHTTP APIs
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
60
Direzione di ricerca
Confronta il codice di gestione degli errori in KeycloakErrorHandler.java tra le versioni 26.2.4 e 26.4.2, concentrandoti su come PasswordPolicyNotMetException viene catturata e convertita in una risposta. Traccia il flusso dall'endpoint partialImport al gestore degli errori per identificare cosa è cambiato.