[Keycloak] Groups not populated with users

[Alveel]

EDIT: of course, shortly after the creation of this issue, I stumbled upon the probable solution: I added realm-admin to the sync user's role mappings in RH-SSO, and users were added to groups in OpenShift. From what little playing I have done, it appears the sync user also requires view-users besides query-users and query-groups. Maybe this is something recent?

---

Using the keycloak provider to link with RedHat SSO, groups within the configured realm are synchronised as expected, however group memberships is not.

We have users and groups in RH-SSO. Users are part of one or more groups. The user used for synchronisation has query-groups and query-users as assigned roles.

From what I understand from people we consulted, users that login through RH-SSO should automatically be added to a group by the operator (I assume when it runs depending on its schedule, or when does this happen exactly?)

However, the groups that get synchronised by the operator stay empty. Even when manually adding a user to the group within OpenShift with oc adm groups add-users $group $user1, whenever the operator synchronises again, it will just remove the user, even though the user is part of that group within RH-SSO.

Looking at the relevant code, and confirming via gocloak, users should be added to groups automatically within OpenShift.

The operator logs do not appear to be very verbose on this, and there doesn't appear to be a debug mode or verbosity option.

You can find our GroupSync and OAuth objects here. This is what we use to oc apply. We have tried with all the available scope's, they don't make a difference in regards to this problem.

What are we missing?

[sabre1041]

@Alveel this is pretty far back. but any chance that you were able to resolve this issue?

[Alveel]

@sabre1041 if I recall correctly, my edit at the top solved the problem I have, even though that was (is?) not documented at the time.