Keycloak: Send AdminEvent from custom Endpoint (SPI)

Question

I have a Keycloak extension (Custom Endpoints, SPI). Now I want to add sending of AdminEvents , which I implemented as follows:

    private void logAdminEvent(ClientConnection clientConnection, UserRepresentation rep, OperationType operation, ResourceType resource) {
    RealmModel realm = session.getContext().getRealm();
    // beware: clientConnection must not be null because of missing check for NullPointer in Keycloak
    ClientModel client = realm.getClientByClientId(ROLE_ATTRIBUTE_CLIENT);
    AdminAuth adminAuth = new AdminAuth(realm, authResult.getToken(), authResult.getUser(), client);
    AdminEventBuilder adminEvent = new AdminEventBuilder(realm, adminAuth, session, clientConnection);
    adminEvent
            .operation(operation)
            .resource(resource)
            .authIpAddress(authResult.getSession().getIpAddress())
            .authClient(client)
            .resourcePath(session.getContext().getUri())
            .representation(rep);

    adminEvent
            .success();
}

I am aware that the admin event logging must be activated in Keycloak admin console, which I did.

Maybe it is relevant that the logged in user has no administration privileges, but it also did not work when I gave admin privileges.

I need Ideas or Hints to what I am doing wrong here . Documentation and web research unfortunately did not help.

Answer 1

Take a look at Keycloak sources , especially something like RootAdminResource . As far as i remember all admin resources (eg controllers ) create events via builder that cloned from builder that was injected via constructor by parent resource. You may be missing some initialization tricks.

Answer 2

Ok, we found that. First, for update / delete , we had to add the realm to the adminEvent . Second, for create, we had the event logging after the

session.getTransactionManager().commit();

took place. Setting commit after the adminEvent.success() fixed the Issue.

Maybe this can help anyone.