Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1939

Realm import fails when client configures default_acr values [GHI#32799]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      import-export

      Describe the bug

      Importing an exported json realm configuration fails if it contains a custom acr_to_loa mapping and a client that references the acr value via default_acr_values.

      Version

      Keycloak 25.0.5

      Regression

      [X] The issue is a regression

      Expected behavior

      Import should work fine.

      This issue is present in KC25 and KC24

      Actual behavior

      Import fails with an exception:

      ```
      2024-09-11 12:33:48,828 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-19) Uncaught server error: java.lang.RuntimeException: Invalid client client-silver: Default ACR values need to contain values specified in the ACR-To-Loa mapping or number levels from set realm browser flow
      at org.keycloak.storage.datastore.DefaultExportImportManager.lambda$createClients$7(DefaultExportImportManager.java:541)
      at org.keycloak.validation.ValidationUtil.validateClient(ValidationUtil.java:45)
      at org.keycloak.validation.ValidationUtil.validateClient(ValidationUtil.java:28)
      at org.keycloak.storage.datastore.DefaultExportImportManager.createClients(DefaultExportImportManager.java:540)
      at org.keycloak.storage.datastore.DefaultExportImportManager.importRealm(DefaultExportImportManager.java:369)
      at org.keycloak.models.utils.RepresentationToModel.importRealm(RepresentationToModel.java:139)
      at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:584)
      at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:513)
      at org.keycloak.services.managers.RealmManagerProviderFactory.lambda$postInit$0(RealmManagerProviderFactory.java:54)
      at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:91)
      at org.keycloak.storage.ImportRealmFromRepresentationEvent.fire(ImportRealmFromRepresentationEvent.java:50)
      at org.keycloak.storage.datastore.DefaultExportImportManager.importRealm(DefaultExportImportManager.java:172)
      at org.keycloak.services.resources.admin.RealmsAdminResource.importRealm(RealmsAdminResource.java:147)
      at org.keycloak.services.resources.admin.RealmsAdminResource$quarkusrestinvoker$importRealm_aa9defcbd5e1fb410aecd3ab57b280946687671e.invoke(Unknown Source)
      at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
      at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
      at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
      at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
      at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
      at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
      at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
      at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
      at java.base/java.lang.Thread.run(Thread.java:840)

      ```

      How to Reproduce?

      1) Create a realm
      2) Create a acr-to-loa mapping in the realm, e.g. silver: 1 and gold: 2
      3) Create a client
      4) In advanced client settings configure "Default ACR Values to silver"
      5) Export the realm
      6) Delete the realm
      7) Try to reimport the realm json

      Anything else?

      The problem seems to be that the realm attributes are not yet set in org.keycloak.storage.datastore.DefaultExportImportManager#importRealm(org.keycloak.representations.idm.RealmRepresentation, org.keycloak.models.RealmModel, boolean)
      when the client configuration is imported. However the acr.loa.map realm attribute is needed to validate the client configuration.

      I propose to move the realm attribute import above the client import.
      This solves the issue.

      An example file that reproduces the error can be found here: https://gist.github.com/thomasdarimont/b0928cf6d6df07dc76d52413794a1414

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core (shared)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: