search

adorsys / keycloak-config-cli

Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
Apache License 2.0
705 stars 133 forks source link

Fails to delete authentication flow when it's referenced as an IdP first broker login flow alias #868

Open akikoskinen opened 1 year ago

akikoskinen commented 1 year ago

Current Behavior

A custom authentication flow has been set as an identity provider's first broker login flow alias. In one step the identity provider's first broker login flow alias value is changed to another authentication flow and the previous authentication flow is removed.

Keycloak-config-cli tries to first remove the authentication flow. This results to a 500 response from Keycloak. Keycloak's log shows: Cannot remove authentication flow, it is currently in use.

Expected Behavior

Keycloak-config-cli should first change the identity provider's first broker login flow alias to the new value. The authentication flow should be removed only after that.

Steps To Reproduce

No response

Environment

Anything else?

This is similar to #349 in the sense that things should be done in the correct order.

thomasdarimont commented 1 year ago

Thanks @akikoskinen for reporting this. Could you provide a reproducer for this similar to that one? https://github.com/adorsys/keycloak-config-cli/issues/623

akikoskinen commented 1 year ago

Here are files to reproduce this. I took an existing test file as a base, slightly modified to suit this case (the filenames have a .txt extension, although they are JSON files, since GitHub doesn't accept files with a .json extension). This realm file adds an identity provider with a custom first (and post, I'll return to this later) login flow.

00-initialize.json.txt

In the next step the identity provider's first login flow is reset to the Keycloak's built-in "first broker login" authentication flow and the custom authentication flow ("my custom first login flow") is removed.

01a-reset-first-login-flow.json.txt

Applying this realm change causes the error and is all for reproducing the original bug reported in this issue.

But I found out that this same issue also concerns the identity provider's post login flow. The 00-initialize.json file also sets a custom post login flow for the identity provider. If in a second step the post login flow is reset (this time to an empty value, which removes any post login flow from the identity provider) and the custom authentication flow is removed, the same error occurs.

01b-reset-post-login-flow.json.txt

Applying these realm files don't need any special options to be used. I used something like

java -jar ./keycloak-config-cli-19.0.3.jar --keycloak.url=http://localhost:8080/auth --keycloak.user=admin --keycloak.password=admin --import.files.locations=./00-initialize.json