Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

Some REST clients add whitespace characters at the end of the POST/PUT requests payload. I'm not sure why, but this is normally not a problem as POST/PUT endpoints most of the time expect a JSON object or array, which can easily be deserialized by REST services regardless of trailing whitespace. However, Keycloak has a few endpoints, like the one mentioned here, that only expect a String as the body of a POST/PUT request, yet the endpoints are still declared to consume the application/json content type. This is a bit misleading for the REST clients.

The result is that if a REST client adds whitespace characters during serialization, for whatever reason, endpoints such as the one mentioned here would take these whitespace characters as part of the actual payload. In this case, when trying to add a user to an organization, Keycloak searches for the user using an ID that includes the whitespace characters around it, which causes the user not to be found and the endpoint to return an error.

More context: in our case, we are writing Mendix low-code applications, and if you want to use a JSON payload, you must configure a JSON structure with an actual object (

) or array ([ ... ]) as the root object for the payload. We do have the ability to not use a JSON structure and set a custom payload with just a String, but Mendix internally adds a trailing newline character for some reason, when the payload is serialized to JSON. So if the payload is just a String, the trailing newline can be confusing as it's not clear to the REST service if it's intended to be part of the payload or not. This is not something that we will be able to resolve on the Mendix side.

But for an endpoint like this, the only correct payload is a user id without any surrounding whitespace characters, so I feel it would be reasonable to trim the input before proceeding.

Version

26.1.4

Regression

[ ] The issue is a regression

Expected behavior

The given user is added to the given organization, the endpoint returns 200 OK.

Actual behavior

The endpoint returns a BAD_REQUEST (400) with the message: "User does not exist".

How to Reproduce?

Call the POST /admin/realms/

/organizations/

/members endpoint with a proper organization ID and a proper user ID in the body (with or without double quotes), but with an extra CRLF at the end. I cannot paste an example here, GitHub is replacing the CRLF with a space, but an easy way to reproduce it is to paste your user ID in Notepad++, hit Enter, hit CTRL + A, and copy/paste what you have as the payload, in Postman or some other tool.

Anything else?

I am opening this issue as a follow-up to https://github.com/keycloak/keycloak/issues/34401. More details about the overall issue can be found in that issue and the associated PR.