Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
Description
The RH-SSO 7.6 docuemtation states you can configure read_only_user_attributes by add this configuration to your standalone(-*).xml files to the configuration of the Red Hat Single Sign-On server subsystem:
~~~
<spi name="userProfile">
<provider name="legacy-user-profile" enabled="true">
<properties>
<property name="read-only-attributes" value="["foo","bar*"]"/>
<property name="admin-read-only-attributes" value="["foo"]"/>
</properties>
</provider>
</spi>
~~~
The same can be configured with the usage of the JBoss CLI with the commands:
~~~
/subsystem=keycloak-server/spi=userProfile/:add
/subsystem=keycloak-server/spi=userProfile/provider=legacy-user-profile/:add(properties={},enabled=true)
/subsystem=keycloak-server/spi=userProfile/provider=legacy-user-profile/:map-put(name=properties,key=read-only-attributes,value=[foo,bar*])
/subsystem=keycloak-server/spi=userProfile/provider=legacy-user-profile/:map-put(name=properties,key=admin-read-only-attributes,value=[foo])
~~~
However, the only way to set the read-only attribute is to use the declarative-user-profile which is still in Technology Preview
1) Started RH-SSO with the declarative user profile enabled
~~~
./standalone.sh -Dkeycloak.profile.feature.declarative_user_profile=enabled
~~~
2) Ran the below command via the JBoss CLI modifying the user profile provider to use: declarative-user-profile
~~~
/subsystem=keycloak-server/spi=userProfile/:add
/subsystem=keycloak-server/spi=userProfile/provider=declarative-user-profile/:add(properties={},enabled=true)
/subsystem=keycloak-server/spi=userProfile/provider=declarative-user-profile/:map-put(name=properties,key=read-only-attributes,value=[email])
~~~
3) Logged into the account client and when i tried to change the email i got the following error:
~~~
Console error: Update of read-only attribute rejected
~~~
~~~
Log error: 19:20:52,275 WARN [org.keycloak.userprofile.validator.ReadOnlyAttributeUnchangedValidator] (default task-1) Attempt to edit denied attribute '(?i:^\Qemail\E$)' of user 'user1'
~~~