Organization member API returns incorrect list of users.

[grinay]

Hi guys. @xgp I found a bug with API. Using this endpoint /realms/{realm}/orgs/{orgId}/members returns not only organization users, but also returns service-account-admin-cli user. Which eventually lead us to broken authentication for backend, as we are remove all users from organization on request;). May you check that case ?

[xgp]

@grinay We're aware of that case. There are two "service account" types that can be returned by that method:

1. the organization service account that is automatically created with an organization (i.e. org-admin-{orgId}). We have users that want the organization service account to be returned for some use cases. I think the ideal "fix" here, without breaking backwards compatibility is tho have a query param like sa=false that defaults to true, that causes the method to return all users without service accounts.
2. the Keycloak Client service account that was used to create an organization. This is because the default is to make the user that created the organization also a member. Nobody has asked for these to be included in the response, so I think we could safely eliminate them. The question here is, do we want the Client service account to just be removed from the response, or also never added to the organization in the first place.

[xgp]

FYI, we're doing both parts of 2. The Client service account will be removed from the response, and not added to the organization in the first place.

[grinay]

@xgp thank you guys, for fast response. Nice job