keycloak/keycloak

User Attribute not inherited from organization attributes

Open

#34,256 opened on Oct 23, 2024

View on GitHub
 (2 comments) (7 reactions) (0 assignees)Java (34,398 stars) (8,346 forks)batch import
area/organizationshelp wantedkind/enhancementpriority/lowstatus/auto-bumpteam/core-iam

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

organizations

Describe the bug

Attributes from organization are not inherited by user as group attributes are.

I would like to configure a conditional authenticator flow, when a user attribute is set, and I would like to set this attribute on organization, to have it inherited by all users of this organization.

Version

26.0.0

Regression

  • The issue is a regression

Expected behavior

When using ConditionalUserAttributeValue authenticator, attributes sets on Organization should be resolved.

Actual behavior

attributes sets on Organization are ignored

How to Reproduce?

  • Create an authentication flow with Condition - user attribute image

  • Add this attribute on the organization image

  • Create a user in this organization and login

==> conditional authenticator always returns false

Anything else?

ConditionalUserAttributeValue is using KeycloakModelUtils#resolveAttribute(org.keycloak.models.UserModel, java.lang.String, boolean) to resolve user attribute. Then, this method fetches all groups the user belongs to with user.getGroupsStream().

But UserAdapter#getGroupsStream is filtering only REALM groups : return result.filter(g -> Type.REALM.equals(g.getType())).sorted(Comparator.comparing(GroupModel::getName));

So ORGANIZATION groups are not returned and attribute from them are not resolved.

Perhaps we should have a method user.getAllGroupsStream() for this case wich do not filter anything ?

if this bug is validated, I am open to send a PR.

Contributor guide

Tech stack
java
Domain
backendsecurityauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaKeycloak internalsUser model
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Investigate KeycloakModelUtils#resolveAttribute and UserAdapter#getGroupsStream. The issue suggests creating a method getAllGroupsStream that does not filter by group type, so that organization attributes are resolved. The proposed fix involves modifying the attribute resolution logic to include organization groups.