keycloak/keycloak

Federated roles and groups do not respect storage provider cache policies in "RealmCacheSession"

Open

#47.660 aperta il 1 apr 2026

Vedi su GitHub
 (1 commento) (1 reazione) (0 assegnatari)Java (8346 fork)batch import
area/storagehelp wantedkind/bugpriority/normalstatus/auto-bumpstatus/auto-expireteam/core-iam

Metriche repository

Star
 (34.398 star)
Metriche merge PR
 (Merge medio 6g 19h) (384 PR mergiate in 30 g)

Descrizione

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

storage

Describe the bug

Federated roles do not appear to respect storage provider cache policies such as NO_CACHE, MAX_LIFESPAN, EVICT_DAILY, and EVICT_WEEKLY in RealmCacheSession, unlike federated clients and users.

From code inspection:

  • Roles are cached in getCachedRole(...) via cache.addRevisioned(...)
  • There is no lookup of RoleStorageProviderModel
  • There is no shouldInvalidate(...) check or provider lifespan handling applied to cached role entries

Groups are likely affected as well due to an identical cache-path pattern in getGroupById(...), although this has not yet been confirmed via runtime repro.

Version

latest nightly built from main (999.0.0-SNAPSHOT)

Regression

  • The issue is a regression

Expected behavior

Federated roles should respect storage provider cache policies.

In particular:

  • When CachePolicy.NO_CACHE is configured, roles should not be cached
  • For MAX_LIFESPAN and eviction-based policies, cache entries should expire accordingly
  • Cached entries should be validated using provider policy (similar to federated clients and users)

Actual behavior

Federated roles are cached and reused without applying provider cache policy.

  • NO_CACHE is ignored and roles are still cached
  • No lifespan or eviction policy is applied
  • No shouldInvalidate(...) check is performed on cached entries

This leads to behavior inconsistent with federated clients and users.

How to Reproduce?

Reproduced on current main snapshot.

A focused test (RoleStorageNoCacheReproTest) demonstrates the issue:

Command used:

./mvnw -pl testsuite/integration-arquillian/tests/base -am -Pauth-server-quarkus -Dauth.server.ssl.required=false -Dtest=RoleStorageNoCacheReproTest test

Result:

  • Tests run: 1
  • Failures: 1

Failure details:

  • Assertion failed at RoleStorageNoCacheReproTest.java:98
  • The test expected the role to not be cached, but it was returned from cache

This confirms that CachePolicy.NO_CACHE is not respected for federated roles.

Note: Not yet validated on the latest stable release; confirmed on nightly/main.

Anything else?

Comparison with existing behavior:

Federated clients correctly enforce provider cache policy:

  • Skip caching when NO_CACHE or provider is disabled
  • Apply lifespan constraints for MAX_LIFESPAN / eviction policies
  • Use shouldInvalidate(...) for read-time validation

No equivalent logic is present for roles.


Code references:

  • Role caching: RealmCacheSession.getCachedRole(...) (~line 944)
  • Client policy handling: RealmCacheSession (~lines 1217–1269)
  • Policy definition: CacheableStorageProviderModel (~line 164)

Additional supporting evidence:

  • RoleStorageTest contains eviction-related tests (NO_CACHE, MAX_LIFESPAN, EVICT_*) that are currently commented out
  • GroupStorageTest shows similar patterns (not yet runtime-confirmed)
  • Equivalent client tests are active and passing

Scope clarification:

Explicit invalidation on role update and removal is present and working.

This issue specifically concerns missing provider-policy-driven cache behavior, not mutation-based invalidation.

Guida contributor