Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: 24.0.8
Affects Version/s: None
Component/s: None
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
RHBK-1812
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

import-export

Describe the bug

Importing an exported json realm configuration fails if it contains a custom acr_to_loa mapping and a client that references the acr value via default_acr_values.

Version

Keycloak 25.0.5

Regression

[X] The issue is a regression

Expected behavior

Import should work fine.

This issue is present in KC25 and KC24

Actual behavior

Import fails with an exception:

```
2024-09-11 12:33:48,828 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-19) Uncaught server error: java.lang.RuntimeException: Invalid client client-silver: Default ACR values need to contain values specified in the ACR-To-Loa mapping or number levels from set realm browser flow
at org.keycloak.storage.datastore.DefaultExportImportManager.lambda$createClients$7(DefaultExportImportManager.java:541)
at org.keycloak.validation.ValidationUtil.validateClient(ValidationUtil.java:45)
at org.keycloak.validation.ValidationUtil.validateClient(ValidationUtil.java:28)
at org.keycloak.storage.datastore.DefaultExportImportManager.createClients(DefaultExportImportManager.java:540)
at org.keycloak.storage.datastore.DefaultExportImportManager.importRealm(DefaultExportImportManager.java:369)
at org.keycloak.models.utils.RepresentationToModel.importRealm(RepresentationToModel.java:139)
at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:584)
at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:513)
at org.keycloak.services.managers.RealmManagerProviderFactory.lambda$postInit$0(RealmManagerProviderFactory.java:54)
at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:91)
at org.keycloak.storage.ImportRealmFromRepresentationEvent.fire(ImportRealmFromRepresentationEvent.java:50)
at org.keycloak.storage.datastore.DefaultExportImportManager.importRealm(DefaultExportImportManager.java:172)
at org.keycloak.services.resources.admin.RealmsAdminResource.importRealm(RealmsAdminResource.java:147)
at org.keycloak.services.resources.admin.RealmsAdminResource$quarkusrestinvoker$importRealm_aa9defcbd5e1fb410aecd3ab57b280946687671e.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)

```

How to Reproduce?

1) Create a realm
2) Create a acr-to-loa mapping in the realm, e.g. silver: 1 and gold: 2
3) Create a client
4) In advanced client settings configure "Default ACR Values to silver"
5) Export the realm
6) Delete the realm
7) Try to reimport the realm json

Anything else?

The problem seems to be that the realm attributes are not yet set in org.keycloak.storage.datastore.DefaultExportImportManager#importRealm(org.keycloak.representations.idm.RealmRepresentation, org.keycloak.models.RealmModel, boolean)
when the client configuration is imported. However the acr.loa.map realm attribute is needed to validate the client configuration.

I propose to move the realm attribute import above the client import.
This solves the issue.

An example file that reproduces the error can be found here: https://gist.github.com/thomasdarimont/b0928cf6d6df07dc76d52413794a1414

links to

Link to original GitHub issue

Assignee:: Unassigned

Reporter:: Pavel Vlha

Team:: Keycloak Core (shared)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/09/18 1:20 PM

Updated:: 2024/10/01 11:02 AM

Resolved:: 2024/09/18 1:20 PM

Details

Description

Before reporting an issue

Area

Describe the bug

Version

Regression

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

Attachments

Issue Links

Activity

People

Dates