Skip to content

Realm import fails when client configures default_acr values #32799

New issue
New issue
Closed
#32800
Closed
Realm import fails when client configures default_acr values#32799
#32800
Labels
area/import-exportkind/bugCategorizes a PR related to a bugrelease/24.0.8release/25.0.6release/26.0.0team/core-shared
@thomasdarimont

Description

@thomasdarimont
thomasdarimont
opened on Sep 11, 2024

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

import-export

Describe the bug

Importing an exported json realm configuration fails if it contains a custom acr_to_loa mapping and a client that references the acr value via default_acr_values.

Version

Keycloak 25.0.5

Regression

  • The issue is a regression

Expected behavior

Import should work fine.

This issue is present in KC25 and KC24

Actual behavior

Import fails with an exception:

2024-09-11 12:33:48,828 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-19) Uncaught server error: java.lang.RuntimeException: Invalid client client-silver: Default ACR values need to contain values specified in the ACR-To-Loa mapping or number levels from set realm browser flow
	at org.keycloak.storage.datastore.DefaultExportImportManager.lambda$createClients$7(DefaultExportImportManager.java:541)
	at org.keycloak.validation.ValidationUtil.validateClient(ValidationUtil.java:45)
	at org.keycloak.validation.ValidationUtil.validateClient(ValidationUtil.java:28)
	at org.keycloak.storage.datastore.DefaultExportImportManager.createClients(DefaultExportImportManager.java:540)
	at org.keycloak.storage.datastore.DefaultExportImportManager.importRealm(DefaultExportImportManager.java:369)
	at org.keycloak.models.utils.RepresentationToModel.importRealm(RepresentationToModel.java:139)
	at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:584)
	at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:513)
	at org.keycloak.services.managers.RealmManagerProviderFactory.lambda$postInit$0(RealmManagerProviderFactory.java:54)
	at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:91)
	at org.keycloak.storage.ImportRealmFromRepresentationEvent.fire(ImportRealmFromRepresentationEvent.java:50)
	at org.keycloak.storage.datastore.DefaultExportImportManager.importRealm(DefaultExportImportManager.java:172)
	at org.keycloak.services.resources.admin.RealmsAdminResource.importRealm(RealmsAdminResource.java:147)
	at org.keycloak.services.resources.admin.RealmsAdminResource$quarkusrestinvoker$importRealm_aa9defcbd5e1fb410aecd3ab57b280946687671e.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

How to Reproduce?

  1. Create a realm
  2. Create a acr-to-loa mapping in the realm, e.g. silver: 1 and gold: 2
  3. Create a client
  4. In advanced client settings configure "Default ACR Values to silver"
  5. Export the realm
  6. Delete the realm
  7. Try to reimport the realm json

Anything else?

The problem seems to be that the realm attributes are not yet set in org.keycloak.storage.datastore.DefaultExportImportManager#importRealm(org.keycloak.representations.idm.RealmRepresentation, org.keycloak.models.RealmModel, boolean)
when the client configuration is imported. However the acr.loa.map realm attribute is needed to validate the client configuration.

I propose to move the realm attribute import above the client import.
This solves the issue.

An example file that reproduces the error can be found here: https://gist.github.com/thomasdarimont/b0928cf6d6df07dc76d52413794a1414

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    area/import-exportkind/bugCategorizes a PR related to a bugrelease/24.0.8release/25.0.6release/26.0.0team/core-shared

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions