community-plugins icon indicating copy to clipboard operation
community-plugins copied to clipboard
verified publisher icon backstage

🐛 keycloak: Subgroups imports not working cause Keycloak >26.4.0 restrict the use of the server info endpoint

Open gerritc opened this issue 1 month ago • 2 comments

Workspace

keycloak

📜 Description

Starting with Keycloak 26.4.0 the serverinfo endpoints stopped serving the systemInfo containing the Keycloak version which is used to determine the mechanism for loading the subgroups.

From the Release Notes:

The serverinfo endpoint only returns the system info for administrators in the administrator realm Starting with this version, the serverinfo endpoint, which is used by the admin console to obtain some general information of the Keycloak installation, will only return the system information for administrators in the administration (master) realm. This change was done for security reasons. If, for whatever reason, an administrator in a common realm needs to access the systemInfo, cpuInfo or memoryInfo fields of the serverinfo response, you need to create and assign a new view-system role to that admin user: In the affected realm, select the management client realm-management, and, in the Roles tab, create a new role called view-system. In Users select the administrator account, and, in the Role mapping tab, assign the just created view-system client role to the admin user. The previous workaround is marked as deprecated and it can be removed in a future version of Keycloak.

👍 Expected behavior

The subgroups are loaded as expected over the API added by Keycloak 23.

👎 Actual Behavior with Screenshots

The subgroups are not loaded, cause the current switch for the loading mechanism used the Keycloak version which is now not available.

👟 Reproduction steps

  1. Add multiple subgroups in Keycloak
  2. Start Backstage
  3. Only the root groups are available, subgroups are not shown

The problem is that Keycloak > 26.4.0 removed the systeminfo from the serverinfo endpoint and without that the current switch which selects the used API methods to receive the subgroups use always the API for Keycloak versions < 23.

https://github.com/backstage/community-plugins/blob/8d37a31170451581e4f3aba9c0734d5c2f036e13/workspaces/keycloak/plugins/catalog-backend-module-keycloak/src/lib/read.ts#L294-L322

📃 Provide the context for the Bug.

No response

👀 Have you spent some time to check if this bug has been raised before?

  • [x] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

None

gerritc avatar Nov 17 '25 17:11 gerritc

Heya!

Just FYI @AndrienkoAleksandr @dzemanov @lholmquist @PatAKnight @djanickova

Parsifal-M avatar Nov 18 '25 15:11 Parsifal-M

Hi @gerritc thank you for reporting this issue. We have created https://issues.redhat.com/browse/RHDHBUGS-2309 to track progress.

dzemanov avatar Nov 25 '25 08:11 dzemanov