Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Do not empty attributes if they are not provided when user profile is enabled
See original GitHub issueDescribe the bug
When the user declarative profile feature is enabled, attributes that are defined in the User Profile are always present in the user attributes even if they are not set (Admin Panel -> Users -> user -> attibutes tab).
Also, on an attempt to update a user through PUT endpoint attributes are removed from the user.
Context
We are using ABAC model and make use of the Keycloak user attributes extensively. To prevent users from accessing areas they should not have access to by modifying their attributes we enabled the Declarative User Profile feature and disabled write access to all the important attributes for the users leavin read access only (via Admin Panel -> Realm settings -> User Profile tab -> Attributes subtab -> attribute -> Permissions section -> Can user edit = FALSE, Can user view = TRUE). At the same time, administrators should have read and write access for those attributes (via Admin Panel -> Realm settings -> User Profile tab -> Attributes subtab -> attribute -> Permissions section -> Can admin edit = TRUE, Can admin view = TRUE). Attributes are not required in our case.
Problem 1
But when this is configured in this way, administrators can see attributes with empty values in the user attributes page (Admin Panel -> Users -> user -> Attributes tab) even if the attribute has not been set for the user. This is confusing for the administrators.
Problem 2
We make use of the Admin REST API to make some modifications on the users, for example, update email. But to make it happen it’s necessary to send the whole user representation with all the attributes otherwise they will be removed. This makes it necessary to do GET user request first to get full user representation modify it by updating email address and send PUT request to make an update. This introduces unneccessary HTTP call that could be avoided (and can be avoided in case Declarative User Profile feature is disabled)
Version
16.1.1
Expected behavior
- Attributes that are not set for a user are not shown in the Admin Panel -> Users -> user -> Attributes tab
- On a request to the
PUT /auth/admin/realms/{realm}/users/{id}endpoint withoutattributesfield in the request body all existing user attributes must preserve as it works when User Declarative Profile Feature is disabled.
Actual behavior
- For users without attributes from the User Profile configuration fields are still shown on the user attributes tab in the Admin panel with an empty value
- On a request to the
PUT /auth/admin/realms/{realm}/users/{id}endpoint withoutattributesfield in the request body all existing user attributes are removed when User Declarative Profile Feature is disabled.
How to Reproduce?
- Enable Declarative User Profile feature https://www.keycloak.org/docs/latest/server_admin/index.html#enabling-the-user-profile
- Create a user with username
test, emailtest@test.com, and without any attributes - Go to Admin Panel -> Realm settings -> User Profile tab -> Attributes subtab -> click Create
- Create a new attribute with the following parameters and click save: a. name: test-attribute b. Required: FALSE c. Permissions -> Can admin edit: TRUE d. Permissions -> Can admin view = TRUE e. Permissions -> Can user edit: FALSE f. Permissions -> Can user view = TRUE
- Go to the user created on the Step 2 Admin Panel -> Users -> user with username
test(from Step 2) -> Attributes tab a.test-attributeis shown with empty value even though it’s not set for the user. (Actual behavior 1) - Set user attribute
test-attributevalue toTest Valueand save the user - Make a PUT request to the
PUT /auth/admin/realms/{realm}/users/{id}endpoint to update user email for the user created on the step 2. Payload:
{
"email": "new-email@test.com"
}
- Check user Admin Panel -> Users -> user with username
test(from Step 2) a. User email has been updated to thenew-email@test.com(expected), however, b. on the User Attributes tabtest-attributevalue is empty (Actual behavior 2) even though it was not present in the PUT request. And this won’t happen in case Declarative User Profile feature is not enabled
Anything else?
No response
Issue Analytics
- State:
- Created a year ago
- Comments:22 (17 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
You’re right, I will make a new one, already prepared it in fact 😃 thanks
Regarding the admin UI portion of this discussion, we are just starting on an advanced design. @agagancarczyk will do the implementation.
The way we plan to make it work is that any attribute defined as part of the user profile will not be displayed on the Attributes tab at all. Instead, the field will be rendered on the Details tab. This way, can use the definition of the attribute to improve the user experience. For instance, an attribute that only has three valid values will be displayed as a dropdown.
If
Admin can editis false, attribute will display as read only. IfAdmin can viewis false, attribute will not be displayed.For updates, I guess we will need to do the
PATCHoperation if you guys decide to implement it.Also, I notice that attribute definitions should probably have a field for help text. And we should think about localization for both help text and display name.