Technical Troubleshooting Case: Java App Fails with HTTP 401 (Unauthorized) on Keycloak Admin Client Initialization

📌 Problem Summary

A Java Spring Boot application (mdfinfra-ms) fails to start due to a 401 Unauthorized error when initializing a Keycloak admin client. This causes the entire dependency graph of services (ApprovalController, ProjectServiceImpl, etc.) to break during Spring context initialization, ultimately resulting in a fatal UnsatisfiedDependencyException.

📋 Context

• Keycloak Version: 26.2.4 (Quarkus-based)
• Spring Boot App: 3.4.5
• Java Version: 21.0.6
• Keycloak running at: http://localhost:8134
• Java app running at: http://localhost:8080
• Keycloak Client ID: mdf-test-local-java-admin-client
• Realm: test
• Grant Type: client_credentials

🔍 Symptom

HTTP 401 Unauthorized
Keycloak responded with: "invalid_client"
Reason: "Client not enabled to retrieve service account"

🧾 Key Evidence

🔹 Application Logs

KeycloakAdminConfig - Initializing Keycloak admin client for realm 'test', client 'mdf-test-local-java-admin-client' at '<http://localhost:8134>'.
KeycloakErrorHandler - Unauthorized (401): token missing or expired
SpringApplication - Application run failed: UnsatisfiedDependencyException → caused by HTTP 401 during bean creation of keycloakAdminInstance