Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1669

[GHI#30240] Custom attributes are removed during UPDATE PROFILE event

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      We have a custom User Storage Provider SPI which syncs users from an external system. We're using a custom attribute to reference the user across both systems. After upgrading from Keycloak v22 to v24 we noticed a very small number of users were suddenly missing their essential attributes. After a lot of debugging I came across these events which were triggered for exactly those few users that are now missing their attributes:

      <img width="835" alt="Screenshot 2024-06-07 at 08 48 08" src="https://github.com/keycloak/keycloak/assets/59642/8384a284-e4dc-4901-9e50-99800bedc73d">

      After the Keycloak upgrade, the "Unmanaged Attributes" option in the realm was correctly set to "Enabled" to preserve the pre-v24 behaviour.

      I'm not sure what even causes the "UPDATE PROFILE" event in the first place because we're not promoting the Account Console to our users (there are only 15 UPDATE PROFILE events in the last few months, so fortunately it's rather rare).

      Nonetheless, custom attributes getting deleted on profile updates is quite serious. I suspect it has got something to do with the new User Profile feature that was enabled by default in Keycloak v24, but I think it's supposed to behave exactly like previous versions when doing an upgrade, isn't it?

      We have those custom attributes write-protected by listing them in the KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_READ_ONLY_ATTRIBUTES and KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_ADMIN_READ_ONLY_ATTRIBUTES environment variables and this seems to be the key: Every attribute listed here is getting removed when updating your profile.

      Any ideas would be greatly appreciated!

      Version

      24.0.3

      Regression

      [X] The issue is a regression

      Expected behavior

      Custom attributes should be preserved when profile is updated.

      Actual behavior

      Custom attributes are getting removed when profile is updated.

      How to Reproduce?

      1. Using the Keycloak UI, set the attribute MY_CUSTOM_ATTRIBUTE to some value.
      2. Protect this custom attribute by setting KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_READ_ONLY_ATTRIBUTES=MY_CUSTOM_ATTRIBUTE and restart Keycloak.
      3. Go to the account console and update your profile.
      4. MY_CUSTOM_ATTRIBUTE will be gone.

      Anything else?

      No response

            Unassigned Unassigned
            pvlha Pavel Vlha
            Keycloak Core IAM
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: