Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2955

read_only_user_attributes documentation not correct

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • None
    • Documentation
    • None
    • False
    • None
    • False

    Description

      The RH-SSO 7.6 docuemtation states you can configure read_only_user_attributes by add this configuration to your standalone(-*).xml files to the configuration of the Red Hat Single Sign-On server subsystem:

      ~~~
      <spi name="userProfile">
          <provider name="legacy-user-profile" enabled="true">
              <properties>
                  <property name="read-only-attributes" value="["foo","bar*"]"/>
                  <property name="admin-read-only-attributes" value="["foo"]"/>
              </properties>
          </provider>
      </spi>
      ~~~

      The same can be configured with the usage of the JBoss CLI with the commands:

      ~~~
      /subsystem=keycloak-server/spi=userProfile/:add
      /subsystem=keycloak-server/spi=userProfile/provider=legacy-user-profile/:add(properties={},enabled=true)
      /subsystem=keycloak-server/spi=userProfile/provider=legacy-user-profile/:map-put(name=properties,key=read-only-attributes,value=[foo,bar*])
      /subsystem=keycloak-server/spi=userProfile/provider=legacy-user-profile/:map-put(name=properties,key=admin-read-only-attributes,value=[foo])
      ~~~

      However, the only way to set the read-only attribute is to use the declarative-user-profile which is still in Technology Preview

      1) Started RH-SSO with the declarative user profile enabled

      ~~~
      ./standalone.sh -Dkeycloak.profile.feature.declarative_user_profile=enabled
      ~~~

      2) Ran the below command via the JBoss CLI modifying the user profile provider to use: declarative-user-profile 

      ~~~
      /subsystem=keycloak-server/spi=userProfile/:add
      /subsystem=keycloak-server/spi=userProfile/provider=declarative-user-profile/:add(properties={},enabled=true)
      /subsystem=keycloak-server/spi=userProfile/provider=declarative-user-profile/:map-put(name=properties,key=read-only-attributes,value=[email])
      ~~~

      3) Logged into the account client and when i tried to change the email i got the following error:

      ~~~
      Console error: Update of read-only attribute rejected
      ~~~

      ~~~
      Log error: 19:20:52,275 WARN  [org.keycloak.userprofile.validator.ReadOnlyAttributeUnchangedValidator] (default task-1) Attempt to edit denied attribute '(?i:^\Qemail\E$)' of user 'user1'
      ~~~

      [1] https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html-single/server_administration_guide/index#read_only_user_attributes

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-oidehen Osarobo Idehen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: