Group operations broken for Keycloak v23.0.0

[0x0dr1y]

Hey!

It seems like group operations like "assignRoleToGroup" are broken when using the current Keycloak version. They seem to have changed their scheme so that subGroups are no longer part of the original group but must be fetched seperatly.

The related changes can be found here:

• https://github.com/keycloak/keycloak/issues/22372
• https://github.com/keycloak/keycloak/pull/22700

To get the subGroups of a group GET /admin/realms/{realm}/groups/{id}/children must be perfomed. (see https://www.keycloak.org/docs-api/23.0.1/rest-api/index.html)

Is there any chance you could look into that soon?

Thanks in advance!

---

 at [Source: (BufferedReader); line: 1, column: 200] (through reference chain: java.util.ArrayList[0]->de.klg71.keycloakmigration.keycloakapi.model.GroupListItem["subGroups"]) reading GET http://keycloak:8080/auth/admin/realms/XY/groups?search=Default
        at feign.FeignException.errorReading(FeignException.java:167) ~[keycloakmigration.jar:?]
        at feign.InvocationContext.proceed(InvocationContext.java:42) ~[keycloakmigration.jar:?]
        at feign.ResponseHandler.decode(ResponseHandler.java:122) ~[keycloakmigration.jar:?]
        at feign.ResponseHandler.handleResponse(ResponseHandler.java:73) ~[keycloakmigration.jar:?]
        at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:114) ~[keycloakmigration.jar:?]
        at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:70) ~[keycloakmigration.jar:?]
        at io.github.resilience4j.retry.Retry.lambda$decorateCheckedFunction$7bb28b04$1(Retry.java:187) ~[keycloakmigration.jar:?]
        at io.github.resilience4j.feign.DecoratorInvocationHandler.invoke(DecoratorInvocationHandler.java:95) ~[keycloakmigration.jar:?]
        at com.sun.proxy.$Proxy29.searchGroup(Unknown Source) ~[?:?]
        at de.klg71.keycloakmigration.keycloakapi.KeycloakClientHelperKt.existsGroup(KeycloakClientHelper.kt:85) ~[keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.changeControl.actions.group.AssignRoleToGroupAction.execute(AssignRoleToGroupAction.kt:22) ~[keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.changeControl.actions.Action.executeIt(Action.kt:37) ~[keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.changeControl.KeycloakMigration.doChange(KeycloakMigration.kt:45) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.changeControl.KeycloakMigration.execute$keycloakmigration(KeycloakMigration.kt:31) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.MainKt$migrate$1$1.invoke(Main.kt:74) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.MainKt$migrate$1$1.invoke(Main.kt:66) [keycloakmigration.jar:?]
        at org.koin.core.context.GlobalContext.startKoin(GlobalContext.kt:65) [keycloakmigration.jar:?]
        at org.koin.core.context.DefaultContextExtKt.startKoin(DefaultContextExt.kt:31) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.MainKt.migrate(Main.kt:66) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.MainKt$main$1.invoke(Main.kt:22) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.MainKt$main$1.invoke(Main.kt:20) [keycloakmigration.jar:?]
        at com.xenomachina.argparser.SystemExitExceptionKt.mainBody(SystemExitException.kt:74) [keycloakmigration.jar:?]
        at com.xenomachina.argparser.SystemExitExceptionKt.mainBody$default(SystemExitException.kt:72) [keycloakmigration.jar:?]
        at de.klg71.keycloakmigration.MainKt.main(Main.kt:20) [keycloakmigration.jar:?]
Caused by: com.fasterxml.jackson.module.kotlin.MissingKotlinParameterException: Instantiation of [simple type, class de.klg71.keycloakmigration.keycloakapi.model.GroupListItem] value failed for JSON property subGroups due to missing (therefore NULL) value for creator parameter subGroups which is a non-nullable type
 at [Source: (BufferedReader); line: 1, column: 200] (through reference chain: java.util.ArrayList[0]->de.klg71.keycloakmigration.keycloakapi.model.GroupListItem["subGroups"])
        at com.fasterxml.jackson.module.kotlin.KotlinValueInstantiator.createFromObjectWith(KotlinValueInstantiator.kt:84) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.impl.PropertyBasedCreator.build(PropertyBasedCreator.java:202) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:523) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1409) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:352) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4825) ~[keycloakmigration.jar:?]
        at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3801) ~[keycloakmigration.jar:?]
        at feign.jackson.JacksonDecoder.decode(JacksonDecoder.java:65) ~[keycloakmigration.jar:?]
        at feign.InvocationContext.proceed(InvocationContext.java:36) ~[keycloakmigration.jar:?]
        ... 22 more

[klg71]

Hey @MrDeerly thanks for the report I guess I can schedule it for next week :)

[0x0dr1y]

Hey @klg71,

any chance that you can schedule this soonish? :)

[klg71]

Hey @MrDeerly I looked into the issue. I would like to update directly to 24. They changed some apis and there is an issue with custom user attributes. Currently keycloakmigration stores the migration state in custom attributes of the admin user. This is only possible if you enable the custom attribute flag first. If we would like to change this its gonna be a major effort and I don't have a solution for it right now.

[mschneider82]

v24 is fine, lets skip 23

[klg71]

I built a release candidate for keycloak 24: https://github.com/mayope/keycloakmigration/releases/tag/0.2.56.RC3. @MrDeerly could you check if this solves your issue? I couldn't reproduce it in my tests.

[timonback]

Just successfully tested 0.2.56.RC3 with keycloak 24 and 25.

As mentioned in the release notes, I had to set the attribute policy manually.

For our test setup, we can run the following migration in the first step to update the master realm first and create test realm afterwards - including the attribute policy:

...
changes:
  - updateRealm:
      id: master
      unmanagedAttributePolicy: ADMIN_EDIT
  - addRealm:
      name: ${REALM}
  - updateRealm:
      id: ${REALM}
      unmanagedAttributePolicy: ADMIN_EDIT

Thank you @klg71 for this great tool.

When do you plan to release a production version for Keycloak 24/25?

[klg71]

If you don't have further remarks I will gladly promote the RC to production :)

[timonback]

If you don't have further remarks I will gladly promote the RC to production :)

Nothing further from my side, looking forward to upgrading.