Thanks to visit codestin.com
Credit goes to github.com

Skip to content

FGAP: user can no longer open account management page, broken by reset-password #43596

New issue
New issue
Closed
bug
#43789
Closed
FGAP: user can no longer open account management page, broken by reset-password#43596
bug
#43789
Assignees
pedroigor
Labels
area/admin/fine-grained-permissionskind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.4release/26.5.0team/core-iam
@fMeow

Description

@fMeow
fMeow
opened on Oct 20, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

No response

Describe the bug

A scoped manager can no longer open user management page after upgrading to 26.4.1 with error as following:

2025-10-20 02:05:57,366 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1289) Uncaught server error: java.lang.RuntimeExcept
ion: Scope with id or name [reset-password] does not exist
        at org.keycloak.models.utils.RepresentationToModel.updateScopes(RepresentationToModel.java:1352)
        at org.keycloak.models.utils.RepresentationToModel.toModel(RepresentationToModel.java:1301)
        at org.keycloak.authorization.admin.PolicyResourceService.update(PolicyResourceService.java:90)
        at org.keycloak.authorization.admin.PolicyResourceService$quarkusrestinvoker$update_ed7e12bc348e9cbb7352ac6108901a0eeb12c0ec.invoke(Unknown So
urce)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:
183)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
        at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
        at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)

I suspect there are some issue on migration process that fail to create reset-password scope in database. I tried granting reset-password perimission and the error log suggests Scope with id or name [reset-password] does not exist. Here is the detail log:

2025-10-20 02:22:16,018 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1306) Uncaught server error: java.lang.RuntimeException: Scope with id or name [reset-password] does not exist
        at org.keycloak.models.utils.RepresentationToModel.updateScopes(RepresentationToModel.java:1352)
        at org.keycloak.models.utils.RepresentationToModel.toModel(RepresentationToModel.java:1301)
        at org.keycloak.authorization.admin.PolicyResourceService.update(PolicyResourceService.java:90)
        at org.keycloak.authorization.admin.PolicyResourceService$quarkusrestinvoker$update_ed7e12bc348e9cbb7352ac6108901a0eeb12c0ec.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
        at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
        at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)

Version

26.4.1

Regression

  • The issue is a regression

Expected behavior

Open management page for specific account:

Imaget

Actual behavior

Cannot open page. In log it suggests Scope 'reset-password' is not defined for resource type 'Users'.

Image 
2025-10-20 02:26:08,335 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1311) Uncaught server error: org.keycloak.models.ModelIllegalStateException: Scope 'reset-password' is not defined for resource type 'Users'
        at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.lambda$hasPermission$1(FineGrainedAdminPermissionEvaluator.java:106)
        at java.base/java.util.Optional.orElseThrow(Optional.java:403)
        at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.hasPermission(FineGrainedAdminPermissionEvaluator.java:106)
        at org.keycloak.services.resources.admin.fgap.FineGrainedAdminPermissionEvaluator.hasPermission(FineGrainedAdminPermissionEvaluator.java:71)
        at org.keycloak.services.resources.admin.fgap.UserPermissionsV2.canResetPassword(UserPermissionsV2.java:157)
        at org.keycloak.services.resources.admin.fgap.UserPermissions.getAccess(UserPermissions.java:437)
        at org.keycloak.services.resources.admin.UserResource.getUser(UserResource.java:359)
        at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$getUser_c905e0bb512ebf5abf25843bdcaec6b073f8e01e.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
        at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
        at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)

How to Reproduce?

Might be just upgrade from 26.3?

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/admin/fine-grained-permissionskind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.4.4release/26.5.0team/core-iam

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions