adorsys
Client scopes aren't deleted when removed from the JSON configuration
Current Behavior
When I run the keycloak-config-cli against a configuration that changes or deletes a clientScope previously present in the JSON config, that client scope is not deleted or modified.
Expected Behavior
Reading through the MANAGED documentation, I expected the scope that was originally created to have metadata that allowed keycloak-config-cli to identify that something changed and update or delete that client scope as appropriate. As it stands, if I delete the clientScope, the previously-created scope remains unchanged. If I change the name, it just adds a new second scope with the new name and leaves the original in place as well.
Steps To Reproduce
- Create a configuration in a file
conf/01_realm.jsonthat creates a new Realm with one client scope:
{
"enabled": true,
"realm": "test-realm",
"displayName": "Test Realm",
"displayNameHtml": "<div class=\"kc-logo-text\"><span>Keycloak - ${role_uma_authorization}</span></div>",
"verifyEmail": false,
"notBefore": 0,
"browserSecurityHeaders": {
"contentSecurityPolicyReportOnly": "",
"xContentTypeOptions": "nosniff",
"xRobotsTag": "none",
"xFrameOptions": "SAMEORIGIN",
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
"xXSSProtection": "1; mode=block",
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
},
"clientScopes": [
{
"name": "test.component.admin",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true",
"consent.screen.text": "Administrator access to all Components"
}
}
]
}
- Apply the configuration with the docker version of the CLI:
docker run --rm -ti \
-v $PWD:/config/ \
-e LOGGING_LEVEL_ROOT=INFO \
-e LOGGING_LEVEL_KEYCLOAKCONFIGCLI=DEBUG \
-e LOGGING_LEVEL_HTTP=DEBUG \
-e LOGGING_LEVEL_REALMCONFIG=DEBUG \
-e KEYCLOAK_URL="https://my.test.keycloak.com/" \
-e KEYCLOAK_GRANTTYPE="client_credentials" \
-e KEYCLOAK_CLIENTID="keycloak-automation" \
-e KEYCLOAK_CLIENTSECRET="***************************" \
-e KEYCLOAK_AVAILABILITYCHECK_ENABLED=true \
-e KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=15s \
-e IMPORT_FILES_LOCATIONS='/config/01_realm.json' \
-e IMPORT_VARSUBSTITUTION_ENABLED=true \
-e KEYCLOAK_VERSION=25.0.6 \
-e MAVEN_CLI_OPTS="-B -ntp -q" \
-e IMPORT_REMOTESTATE_ENABLED=false \
adorsys/keycloak-config-cli:latest-25
- Verify that the new realm "Test Realm" is created and has the provided scope "test.component.admin" - it does!
- Rename the scope in the 01_realm.json file to "test.component.admin2" and rerun the docker command to apply it
- Check again, and there are two scopes, "test.component.admin", and "test.component.admin2"
I've also tried deleting the scope from 01_realm.json leaving just clientScopes: [] (which my understanding of MANAGED docs means it should delete all managed clientScopes) but this doesn't do anything to the scopes previously created.
Environment
- Keycloak Version: 25.0.6 (also checked with the latest v26 release)
- keycloak-config-cli Version: docker tag latest-25 (also checked with latest-26)
- Java Version: Uncertain, as I'm running an instance of Keycloak deployed using the Keycloak Operator inside a kubernetes cluster
Anything else?
No response
Hello @mtthwcmpbll
Thank you for reporting the issue. For now, the workaround could be to delete it completely from your config and run the import. Then, in a second run, add it back with the new name.
The bug solution is under fix.
Hello @mtthwcmpbll, a solution has been provided in #1306. Please give it a go and report any other issues identified.
