search

mayope / keycloakmigration

Manage your Keycloak configuration with code.
https://mayope.net
MIT License
108 stars 22 forks source link

Migrations broken with Keycloak version 24 #77

Closed ataraxus closed 2 months ago

ataraxus commented 2 months ago

With version 24.0 Keycloak introduced a new concept on how to manage user attributes: https://www.keycloak.org/docs/latest/server_admin/#_understanding-managed-and-unmanaged-attributes

If one migrates from an earlier version than 24.0 KC sets the default for this to: "Enabled"

If one starts with a blank version >=24.0 then the default is "Disabled". With this new Setting to Default KC Migration cant store its metadata to the user attributes.

There could be three ways to tackle this issue, before applying migrations:

  1. check the setting and set it to "enabled" - not recommended by KC
  2. check the setting and set it to "Admin can edit" - would be more "secure"
  3. add "migrations" to the user profile for this realm - i guess this would be most favorable for admins using a user from the master realm.
klg71 commented 2 months ago

Hey @ataraxus thanks for opening the issue. I looked into the topic and I would prefer the third option. I will try to schedule the implementation for the oncoming weeks.

klg71 commented 2 months ago

I released an release candidate: https://github.com/mayope/keycloakmigration/releases/tag/0.2.56.RC3. Could you test it @ataraxus ?

ataraxus commented 2 months ago

@klg71 Thanks for the headsup and Quick turnaround! I will test it asap on monday.

ataraxus commented 2 months ago

So i ran some tests and it looks good so far except for backwards compatibility KC23+KCM0.2.55->KC24+KCM0.2.56RC3 ✅ emptyDB -> KC24+KCM0.2.56RC3 ✅ emptyDB -> KC23+KCM0.2.56RC3 ❌ 

[main] KeycloakMigration - Error occurred while migrating: sys-add-realm
 feign.FeignException: Instantiation of [simple type, class de.klg71.keycloakmigration.keycloakapi.model.Realm] value failed for JSON property firstBrokerLoginFlow due to missing (therefore NULL) value for creator parameter firstBrokerLoginFlow which is a non-nullable type
 at [Source: (BufferedReader); line: 1, column: 4228] (through reference chain: java.util.ArrayList[0]->de.klg71.keycloakmigration.keycloakapi.model.Realm["firstBrokerLoginFlow"]) reading GET http://localhost:8080/auth/admin/realms
klg71 commented 2 months ago

I found another problem with KC23. They changed the api endpoint to update realms in KC24 to /admin/realms/{realmname}/ui-ext. This endpoint doesn't exist in KC23. I fear I will have to release 2 versions because I don't want to put version specific code into kcm.

ataraxus commented 2 months ago

At least for me this is not an problem. I bundle my docker KC image with Keycloak Migration...

OT: I had a glance on the Kotlin Code, not my daily driver though, why do you replicate the KC Rest interface and dont use KC Admin?

klg71 commented 2 months ago

OT: I had a glance on the Kotlin Code, not my daily driver though, why do you replicate the KC Rest interface and dont use KC Admin?

At the start of this project you couldn't do all the stuff through the api you can do in the GUI. Apart from that I don't like the way the DSL is written. I think feign simplifies this a lot and doesn't hide the fact that you are calling an API.

ataraxus commented 2 months ago

This issue is closed IMHO. Would be nice if you could release a new version. Again thanks for you effort!