-
Bug
-
Resolution: Done
-
Major
-
None
-
False
-
-
False
-
-
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
core
Describe the bug
Hi,
we have a regression after upgrading to keycloak 26.3.0 (previous version was 26.2.5, same ldap conf and no issue).
We have a user federation with ldap configured.
After the authentication, when the user call CODE_TO_TOKEN, we get an error 500 with this stack:
2025-07-08 08:18:42,855 logLevel=ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-82) Uncaught server error: org.keycloak.models.ModelException: At least one condition should be provided to OR query at org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder.orCondition(LDAPQueryConditionsBuilder.java:58) at org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy$GetRolesFromUserMemberOfAttribute.getLDAPRoleMappings(UserRolesRetrieveStrategy.java:109) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPGroupMappings(GroupLDAPStorageMapper.java:634) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getLDAPGroupMappingsConverted(GroupLDAPStorageMapper.java:778) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:711) at org.keycloak.models.utils.UserModelDelegate.getGroupsStream(UserModelDelegate.java:234) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:717) at org.keycloak.models.cache.infinispan.entities.CachedUser.lambda$new$3(CachedUser.java:75) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.lambda$get$0(DefaultLazyLoader.java:52) at org.keycloak.authorization.fgap.AdminPermissionsSchema.runWithoutAuthorization(AdminPermissionsSchema.java:497) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:49) at org.keycloak.models.cache.infinispan.entities.CachedUser.getGroups(CachedUser.java:131) at org.keycloak.models.cache.infinispan.UserAdapter.getGroupsStream(UserAdapter.java:426) at org.keycloak.models.UserModel.getGroupsStream(UserModel.java:180) at org.keycloak.services.resources.admin.UserResource.groupMembership(UserResource.java:1115) at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$groupMembership_7205dccea6655b8c59b771d74abc3c0bd11f433f.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638) at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654) at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)
Version
26.3.0
Regression
[x] The issue is a regression
Expected behavior
The CODE_TO_TOKEN endpoint should return a token as previously.
Actual behavior
After authentication, the CODE_TO_TOKEN call returns a 500 http code with the following exception:
2025-07-08 08:18:42,855 logLevel=ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-82) Uncaught server error: org.keycloak.models.ModelException: At least one condition should be provided to OR query at org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder.orCondition(LDAPQueryConditionsBuilder.java:58) at org.keycloak.storage.ldap.mappers.membership.UserRolesRetrieveStrategy$GetRolesFromUserMemberOfAttribute.getLDAPRoleMappings(UserRolesRetrieveStrategy.java:109) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.getLDAPGroupMappings(GroupLDAPStorageMapper.java:634) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getLDAPGroupMappingsConverted(GroupLDAPStorageMapper.java:778) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:711) at org.keycloak.models.utils.UserModelDelegate.getGroupsStream(UserModelDelegate.java:234) at org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.getGroupsStream(GroupLDAPStorageMapper.java:717) at org.keycloak.models.cache.infinispan.entities.CachedUser.lambda$new$3(CachedUser.java:75) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.lambda$get$0(DefaultLazyLoader.java:52) at org.keycloak.authorization.fgap.AdminPermissionsSchema.runWithoutAuthorization(AdminPermissionsSchema.java:497) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:49) at org.keycloak.models.cache.infinispan.entities.CachedUser.getGroups(CachedUser.java:131) at org.keycloak.models.cache.infinispan.UserAdapter.getGroupsStream(UserAdapter.java:426) at org.keycloak.models.UserModel.getGroupsStream(UserModel.java:180) at org.keycloak.services.resources.admin.UserResource.groupMembership(UserResource.java:1115) at org.keycloak.services.resources.admin.UserResource$quarkusrestinvoker$groupMembership_7205dccea6655b8c59b771d74abc3c0bd11f433f.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:638) at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2675) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2654) at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1627) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1594) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)
How to Reproduce?
Configure a ldap user federation with group mapping
Anything else?
No response
