You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The support for client policies management introduced in version 5.7.0 has an issue that client policies are imported after the clients and clients are configured without the desired policies application.
Please consider the experimental feature of client secret rotation. The rotation is enabled/disabled according to the condition provided in the policy (e.g. for confidential clients). Then during the realm configuration we disable already existing policies in the de.adorsys.keycloak.config.service.RealmImportService:
Effectively the clientImportService.doImport(...) step is done when no custom policies exist in the realm and consequently, it disables the client secret rotation for the configured clients.
Expected Behavior
The client policies have to be imported before clients. Then the desired policies will have the expected effect on the configured clients.
Steps To Reproduce
1. Enable the secret rotation feature.
2. Configure the policy for the client secret rotation for the confidential clients as shown in the [tutorial](https://www.keycloak.org/docs/22.0.4/server_admin/index.html#_secret_rotation).
3. Add a confidential service account client.
4. Apply the realm configuration with the CLI tool.
5. Generate a new secret for the client (the old secret is still acceptable).
6. Change the description of the client in the configuration json.
7. Import the configuration once again.
The secret rotation is disabled after step #7 and the former secret is not accepted.
Environment
Keycloak Version: 22.0.5
keycloak-config-cli Version: 5.10.0
Java Version: 11
Anything else?
No response
The text was updated successfully, but these errors were encountered:
Current Behavior
The support for client policies management introduced in version 5.7.0 has an issue that client policies are imported after the clients and clients are configured without the desired policies application.
Please consider the experimental feature of client secret rotation. The rotation is enabled/disabled according to the condition provided in the policy (e.g. for confidential clients). Then during the realm configuration we disable already existing policies in the de.adorsys.keycloak.config.service.RealmImportService:
After that, we import the appropriate resources in the following order:
Effectively the
clientImportService.doImport(...)
step is done when no custom policies exist in the realm and consequently, it disables the client secret rotation for the configured clients.Expected Behavior
The client policies have to be imported before clients. Then the desired policies will have the expected effect on the configured clients.
Steps To Reproduce
Environment
Anything else?
No response
The text was updated successfully, but these errors were encountered: