Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2643

Selected Organization not present in access_token of different client within same Realm if user belongs to multiple organization [GHI#35830]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      organizations

      Describe the bug

      When a user belongs to multiple organization within a realm, and when user logs in to client 1, and selec the Organization which they want to login, that selected organization comes in the access_token for client1.
      But when I open the client 2 url, it auto logs in the user, but client 2 access_token does not contain the selected organization.

      It works perfectly fine in case user belongs to only one organization.

      Version

      26.0.7

      Regression

      [ ] The issue is a regression

      Expected behavior

      The selected organization should be present in the access_token of any of the client where user has access to, if they belong to multiple Org.

      <img width="1096" alt="Screenshot 2024-12-11 at 10 38 55 PM" src="https://github.com/user-attachments/assets/d22aa5f0-50f5-4b8e-86d7-8e2bd505e626" />

      Actual behavior

      It's not returning the selected org in access token of the other clients. It is only visible in the client in which I logged in initially.

      <img width="1036" alt="Screenshot 2024-12-11 at 10 45 51 PM" src="https://github.com/user-attachments/assets/2ecd060b-c081-4b9f-b168-64ddf04325f0" />

      How to Reproduce?

      Create the structure as below:

      Realm: VermaTechs
      Clients: app1, app2 (both are in express.js and I'm using keycloak-connect library to protect the rotues and to serve the build)
      Requesting the scope "organization" from the both node.js applications, and scope "organization" is marked as default in realm as well as both clients, and I have modified the mapper to include the attributes of the org in the token.

      Users:
      user1
      user2

      Organization:
      Company1 (with attributes)
      Company2 (with attributes)

      User1 belongs to both Organization Company1 and Company2
      User2 belongs to only 1 organization Company2

      Now If I login with user1 in client1 (app1), and it will ask me to select the organization, after selecting the org, enter the password, and I see that access token contains the selected org with it's attributes.
      Now open client2 (app2), it will auto login, which is as expected, but in this, the access token does not contain the org which we selected during login of app1.

      User who belongs to Single Organization:

      <img width="1096" alt="Screenshot 2024-12-11 at 10 38 55 PM" src="https://github.com/user-attachments/assets/52e7b0a8-afc3-4088-ac38-c1b8bf10eb22" />

      User who belongs to multiple organization:
      <img width="1036" alt="Screenshot 2024-12-11 at 10 45 51 PM" src="https://github.com/user-attachments/assets/1fb28ca7-5d83-45e2-809f-0649f5171ca5" />

      But this is working fine if I login with user2, which has access to only 1 organization.

      Anything else?

      This is the first time I'm raising a bug. Please correct me if I have made some mistakes.

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core IAM
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: