Unable to delete realm using the API

[Nick Wilburn]

I am attempting to use the API to delete a realm. This should be possible according to the documentation.

curl --location --request DELETE -H 'Content-Type: application/x-www-form-urlencoded' -H "Authorization: Bearer ${token}" http://127.0.0.1:8080/auth/realms/test

returns with "

{"error":"RESTEASY003650: No resource method found for DELETE, return 405 with Allow header"}" however.

Is this not possible? I can create the realm just fine, get the realm, but can't seem to delete it.

[Garth]

Your URL should be http://127.0.0.1:8080/auth/admin/realms/test

> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/9287a901-0db6-4766-9c1e-91ba1422e8e4n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/9287a901-0db6-4766-9c1e-91ba1422e8e4n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Nick Wilburn]

Using that url results in a 401 unauthorized.

token=$(curl -s -d "client_id=admin-cli" -d "username=admin" -d "password=<password>" -d "grant_type=password" "http://localhost:8080/auth/realms/master/protocol/openid-connect/token" | jq -r '.access_token')

curl --location --request DELETE -H 'Content-Type: application/x-www-form-urlencoded' -H "Authorization: Bearer ${token}" http://127.0.0.1:8080/auth/admin/realms/test

{"error":"HTTP 401 Unauthorized"}

This same token is valid for things like getting realms, creating new realms, etc. Am I doing something wrong in the token creation?

[Garth]

Huh. I ran it and I see the same thing. I can run it from the browser, with the inspector turned on, and it runs fine. Copying the same curl and using with a fresh token yields the 401. No idea why that's happening.

The source doesn't seem to indicate that anything special other than `manage-realm` role is required:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java#L469

Ideas?

> https://groups.google.com/d/msgid/keycloak-user/b5b55581-fa27-4560-b136-3402a5a88f32n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/b5b55581-fa27-4560-b136-3402a5a88f32n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Nick Wilburn]

Hmmm so logging into my keycloak instance I don't see a `manage-realm` role like I would expect to see from here: https://github.com/keycloak/keycloak/blob/cd342ad5714f15db1cc8b0cd55b788e6543c6dc8/server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java. Not too familiar with this codebase though

[Garth]

They are special client roles for the built-in <realm_name>-realm client. If you're using the admin user, which has the "admin" realm role, you have it by default. That's not the problem.

> https://groups.google.com/d/msgid/keycloak-user/1a124e4b-84f5-4fa5-b513-025ab45f98a3n%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/1a124e4b-84f5-4fa5-b513-025ab45f98a3n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Nick Wilburn]

Ok I suppose this is user error.

I requested the token by curling http://localhost, but then tried to use that token against a resource at http://127.0.0.1.

When I change both these to localhost it appears to work. I can successfully delete a realm

[Garth]

Ha! Good catch!

> https://groups.google.com/d/msgid/keycloak-user/7fc53b35-5197-4e1d-96a2-fb219e25f91bn%40googlegroups.com <https://groups.google.com/d/msgid/keycloak-user/7fc53b35-5197-4e1d-96a2-fb219e25f91bn%40googlegroups.com?utm_medium=email&utm_source=footer>.