Environment
Keycloak Version: 26.3.0
Deployment: Kubernetes (multiple pods)
Database: Oracle
Issue: Persistent 401 errors after database manipulation
Problem Description
After directly deleting user credentials and sessions from the database, all users are experiencing 401 “Unauthorized” errors when attempting to login, even after passwords have been reset.
Error shown to users:
{“code”:“401”,“message”:“Unauthorized - Contact Administrator with this error”}
What We Did
We executed the following SQL operations directly on the Keycloak database for specific users:
-- Delete user passwords
DELETE FROM CREDENTIAL WHERE TYPE = 'password'
AND USER_ID IN (
SELECT ID FROM USER_ENTITY
WHERE USERNAME IN (<ALL_USERNAMES>)
);
-- Delete offline client sessions
DELETE FROM OFFLINE_CLIENT_SESSION
WHERE USER_SESSION_ID IN (
SELECT USER_SESSION_ID FROM OFFLINE_USER_SESSION
WHERE USER_ID IN (
SELECT ID FROM USER_ENTITY
WHERE USERNAME IN (<ALL_USERNAMES>)
)
);
-- Delete offline user sessions
DELETE FROM OFFLINE_USER_SESSION
WHERE USER_ID IN (
SELECT ID FROM USER_ENTITY
WHERE USERNAME IN (<ALL_USERNAMES>)
);
Current Behavior
Users attempt to login with new passwords
During the OAuth callback, users receive 401 error even after resetting the password
Workaround: Users must clear browser cache/cookies to login successfully
After clearing cache, login works fine
What We’ve Tried
1- Password reset via Admin Console - Users have valid passwords now
2- Scaled all Kubernetes pods to 0, then back up - Cache should be cleared
But 401 issue still exist! Any guidance would be greatly appreciated!