Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The client policies are not applied on the imported clients. #984

Open
Oh-tech opened this issue Jan 30, 2024 · 0 comments · May be fixed by #985
Open

The client policies are not applied on the imported clients. #984

Oh-tech opened this issue Jan 30, 2024 · 0 comments · May be fixed by #985
Labels
bug

Comments

@Oh-tech
Copy link
Contributor

Oh-tech commented Jan 30, 2024

Current Behavior

The support for client policies management introduced in version 5.7.0 has an issue that client policies are imported after the clients and clients are configured without the desired policies application.

Please consider the experimental feature of client secret rotation. The rotation is enabled/disabled according to the condition provided in the policy (e.g. for confidential clients). Then during the realm configuration we disable already existing policies in the de.adorsys.keycloak.config.service.RealmImportService:

    private void updateRealm(RealmImport realmImport) {
        logger.debug("Updating realm '{}'...", realmImport.getRealm());

        RealmRepresentation realm = CloneUtil.deepClone(realmImport, RealmRepresentation.class, ignoredPropertiesForRealmImport);
        
       ...

        realmRepository.update(realm);

       ...
    }

After that, we import the appropriate resources in the following order:

   private void configureRealm(RealmImport realmImport, RealmRepresentation existingRealm) {
        clientScopeImportService.doImport(realmImport);
        clientScopeImportService.updateDefaultClientScopes(realmImport, existingRealm);
        clientImportService.doImport(realmImport);
        ...
        clientPoliciesImportService.doImport(realmImport);
        ...
    }

Effectively the clientImportService.doImport(...) step is done when no custom policies exist in the realm and consequently, it disables the client secret rotation for the configured clients.

Expected Behavior

The client policies have to be imported before clients. Then the desired policies will have the expected effect on the configured clients.

Steps To Reproduce

1. Enable the secret rotation feature.
2. Configure the policy for the client secret rotation for the confidential clients as shown in the [tutorial](https://www.keycloak.org/docs/22.0.4/server_admin/index.html#_secret_rotation).
3. Add a confidential service account client.
4. Apply the realm configuration with the CLI tool.
5. Generate a new secret for the client (the old secret is still acceptable).
6. Change the description of the client in the configuration json.
7. Import the configuration once again.

The secret rotation is disabled after step #7 and the former secret is not accepted.

Environment

  • Keycloak Version: 22.0.5
  • keycloak-config-cli Version: 5.10.0
  • Java Version: 11

Anything else?

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Client policies and profiles have to be imported before clients. Oh-tech/keycloak-config-cli
1 participant
@Oh-tech