Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: 26.2.4
Affects Version/s: None
Component/s: team/core-iam
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
RHBK-2913
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/fine-grained-permissions

Describe the bug

Export is failing if the realm has FGAP enabled.

The reason is that the subject (the user executing the operation) is not available from the KeycloakContext, as expected when managing users through the Admin API using a bearer token. Therefore, the partial evaluation fails with the following error:

2025-04-04 20:11:16,528 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) Error details:: java.lang.IllegalStateException: Could not resolve subject

at org.keycloak.services.DefaultKeycloakContext.getUser(DefaultKeycloakContext.java:311)
at org.keycloak.authorization.PartialEvaluator.getPredicates(PartialEvaluator.java:59)
at org.keycloak.authorization.AdminPermissionsSchema.applyAuthorizationFilters(AdminPermissionsSchema.java:448)
at org.keycloak.authorization.AdminPermissionsSchema.applyAuthorizationFilters(AdminPermissionsSchema.java:444)
at org.keycloak.models.jpa.JpaRealmProvider.getTopLevelGroupsStream(JpaRealmProvider.java:771)
at org.keycloak.storage.GroupStorageManager.getTopLevelGroupsStream(GroupStorageManager.java:119)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getTopLevelGroupsStream(RealmCacheSession.java:1095)
at org.keycloak.models.GroupProvider.getTopLevelGroupsStream(GroupProvider.java:142)
at org.keycloak.models.utils.ModelToRepresentation.toGroupHierarchy(ModelToRepresentation.java:179)
at org.keycloak.models.utils.ModelToRepresentation.exportGroups(ModelToRepresentation.java:596)
at org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:549)
at org.keycloak.exportimport.util.ExportUtils.exportRealm(ExportUtils.java:82)
at org.keycloak.exportimport.util.ExportUtils.exportRealm(ExportUtils.java:78)
at org.keycloak.exportimport.util.MultipleStepsExportProvider$1.runExportImportTask(MultipleStepsExportProvider.java:99)

During export, FGAP should not filter resources and just allow exporting.

Version

999.0.0-SNAPSHOT

Regression

[ ] The issue is a regression

Expected behavior

Export working if FGAP enabled to arealm

Actual behavior

Export failing if FGAP enabled to arealm

How to Reproduce?

Try to export a realm using the export command for a realm that has FGAP enabled.

Anything else?

No response

links to

Link to original GitHub issue

Assignee:: Unassigned

Reporter:: Pavel Vlha

Team:: Keycloak Core IAM

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/05/13 1:14 PM

Updated:: 2025/05/13 4:03 PM

Resolved:: 2025/05/13 1:14 PM

Details

Description

Before reporting an issue

Area

Describe the bug

Version

Regression

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates