Group Membership Updates are not instantly pushed when the update is initiated from OKTA

[saravanad]

Hi @Captain-P-Goldfish ,

Users/Groups are pushed from OKTA through SCIM. Hence we have done Configuration through SCIM Server -> Service Provider inorder to receive the updates from OKTA into Keycloak. This is working fine.

Keycloak in turn pushes the Users/Groups to Spring Boot Application. Hence we have done the configuration through SCIM Client -> Remote Service Provider to push updates from Keycloak to Spring Boot App. This is also working fine.

When we create Users or Group, the data is propagated from OKTA -> Keycloak -> Spring Boot.

IF i try to add users to the group from keycloak UI, we get instant updates to spring boot.

However when we try to Add Members to the Group, the data is propagated from OKTA to Keycloak instanteously. However from keycloak to Spring boot it is not happening. The only issues is when users are added to the groups from OKTA.

Any pointers on how to achieve the instant group updates from keycloak to springboot, which are initated from OKTA?

Thanks in advance for your support.

Thanks, Saravana

[Captain-P-Goldfish]

Good point. I have actually missed to fire the events correctly on group-member updates if the SCIM-Server-API is used. I will try to fix this with the next version.

[saravanad]

Thanks for the update. How frequently are the releases done? May i know when will the next version will be released?

[Captain-P-Goldfish]

There is no specific timing since I just try my best to get the tasks done as fast as possible. But I'm already working on it. I hope to have the bugfix and the next feature ready in two weeks. I will release again as soon as this bugfix and the next feature are available.

[Captain-P-Goldfish]

Okay, I think I was able to successfully resolve the problem. Please test again with kc-23-2.2.0-free-SNAPSHOT

[saravanad]

Hi @Captain-P-Goldfish

I downloaded the kc-23-2.2.0-free-SNAPSHOT and it was not working. Also the date looks like 1.6.2024. Is the Fixed Version available for download?

Thanks, Saravana

[Captain-P-Goldfish]

The artifact is correct. The timestamp you see is created if the release-entry is created and is not updated if I exchange an underlying file.

I can still verify that the updates to third parts are correctly triggered if I use the SCIM server API. Can you give me the steps you are following, so that I can recreate this problem?

[saravanad]

The Following are the steps that we follow.

1. We have a realm A, where in we have activated SCIM Server, so that it can be used to sync user/groups from OKTA.
2. In the same realm A, we have created SCIM Client Configuration to push the user/group changes to Sample Spring Boot Application

The Expectation is when User/Group are created in OKTA we would like those changes to be pushed instantly to Sample Spring Boot Application.

Currently it is getting pushed till Keycloak. After that we do a Manual Sync of Group Members, after which it is again pushed to Sample Spring Boot App.

[Captain-P-Goldfish]

I tested again. I just downloaded the artifact from my website and did the following:

1. Setup my a new realm named goldfish and activated the SCIM Server and created a Client for it
2. Created a new realm named synchro-test and and activated SCIM Server and created a Client for it
3. Created a SCIM Client configuration that is connected to realm synchro-test and assigned it to realm goldfish
4. Created a Group

   {
   "schemas": [
   "urn:ietf:params:scim:schemas:core:2.0:Group"
   ],
   "displayName": "new-group-4",
   "externalId": "798f4f38-b1bb-4d65-9ddd-c59527a8cfc3",
   "id": "391f55d5-40d7-4221-b6c7-cd4a809e1260",
   "meta": {
   "resourceType": "Group",
   "created": "2024-06-16T17:57:24.416Z",
   "lastModified": "2024-06-17T16:50:45.218Z",
   "location": "https://localhost:8444/realms/goldfish/scim/v2/Groups/391f55d5-40d7-4221-b6c7-cd4a809e1260"
   }
   }

   resulted in remote group:

   {
   "schemas": [
   "urn:ietf:params:scim:schemas:core:2.0:Group"
   ],
   "displayName": "new-group-4",
   "id": "798f4f38-b1bb-4d65-9ddd-c59527a8cfc3",
   "meta": {
   "resourceType": "Group",
   "created": "2024-06-16T17:57:24.533Z",
   "lastModified": "2024-06-17T16:50:50.337Z",
   "location": "https://localhost:8444/realms/synchro-test/scim/v2/Groups/798f4f38-b1bb-4d65-9ddd-c59527a8cfc3"
   }
   }

5. Created a User

   {
   "schemas": [
   "urn:ietf:params:scim:schemas:core:2.0:User"
   ],
   "id": "46f43caa-070b-471b-bb10-13a37422fc7e",
   "externalId": "5335c2c8-89f0-4bac-86f9-9edb1aeb2dec",
   "userName": "goldfish-2",
   "active": false,
   "meta": {
   "resourceType": "User",
   "created": "2024-06-16T17:51:27.558Z",
   "lastModified": "2024-06-16T17:51:27.558Z",
   "location": "https://localhost:8444/realms/goldfish/scim/v2/Users/46f43caa-070b-471b-bb10-13a37422fc7e",
   "version": "W/\"vHb2cTsqD1HjUoo4vJYr4gKxhMA=\""
   }
   }

   resulted in remote user

   {
   "schemas": [
   "urn:ietf:params:scim:schemas:core:2.0:User"
   ],
   "id": "5335c2c8-89f0-4bac-86f9-9edb1aeb2dec",
   "userName": "goldfish-2",
   "active": false,
   "meta": {
   "resourceType": "User",
   "created": "2024-06-16T17:51:28.273Z",
   "lastModified": "2024-06-16T17:51:28.273Z",
   "location": "https://localhost:8444/realms/synchro-test/scim/v2/Users/5335c2c8-89f0-4bac-86f9-9edb1aeb2dec"
   }
   }

6. assigned User to group with request:

   
   PATCH https://localhost:8444/realms/goldfish/scim/v2/Groups/391f55d5-40d7-4221-b6c7-cd4a809e1260
   Content-Type: application/scim+json
   Authorization: Bearer {{$auth.token}}

{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "add", "path": "members", "value": { "value": "46f43caa-070b-471b-bb10-13a37422fc7e", "type": "User" } } ] }

which resulted in 
```json
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "members": [
    {
      "value": "46f43caa-070b-471b-bb10-13a37422fc7e",
      "type": "User",
      "$ref": "https://localhost:8444/realms/goldfish/scim/v2/Users/46f43caa-070b-471b-bb10-13a37422fc7e",
      "display": "goldfish-2"
    }
  ],
  "displayName": "new-group-4",
  "externalId": "798f4f38-b1bb-4d65-9ddd-c59527a8cfc3",
  "id": "391f55d5-40d7-4221-b6c7-cd4a809e1260",
  "meta": {
    "resourceType": "Group",
    "created": "2024-06-16T17:57:24.416Z",
    "lastModified": "2024-06-17T16:59:53.941Z",
    "location": "https://localhost:8444/realms/goldfish/scim/v2/Groups/391f55d5-40d7-4221-b6c7-cd4a809e1260"
  }
}

and 5 seconds later:

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "members": [
    {
      "value": "5335c2c8-89f0-4bac-86f9-9edb1aeb2dec",
      "$ref": "https://localhost:8444/realms/synchro-test/scim/v2/Users/5335c2c8-89f0-4bac-86f9-9edb1aeb2dec",
      "display": "goldfish-2",
      "type": "User"
    }
  ],
  "displayName": "new-group-4",
  "id": "798f4f38-b1bb-4d65-9ddd-c59527a8cfc3",
  "meta": {
    "resourceType": "Group",
    "created": "2024-06-16T17:57:24.533Z",
    "lastModified": "2024-06-17T16:59:59.064Z",
    "location": "https://localhost:8444/realms/synchro-test/scim/v2/Groups/798f4f38-b1bb-4d65-9ddd-c59527a8cfc3"
  }
}

As you can see. I cannot verify this issue.

[saravanad]

Hi @Captain-P-Goldfish I just downloaded the 23.2.2.0 artifcat and started keycloak. I get the following checksum error. Also i find that the file size is around 7.8 MB.

Last week Friday, when i downloaded the same, it was around 10 MB and i was able to get it up and running.

[Captain-P-Goldfish]

Yes, the filesize has decreased since I resolved #115 the checksum error is expected since you installed the version 2.2.0-SNAPSHOT once before. Please take a look into the file snapshot-update-manual.txt that is also displayed in your screenshot from above. This file tells you how to resolve this.

[saravanad]

Thanks @Captain-P-Goldfish . It worked.