Default client scopes of standard clients do not get intialized on realm import causing 'Forbidden' error in the account console

[gunterze]

Describe the bug

When I create a new realm, I only have to enter the name and the standard clients are created automatically and all available Default and Optional Client Scopes are assigned for each client.

When I export the realm (without group and roles and clients) , delete it and import it again, then the standard clients are created as well, but this time the Assigned Scopes are empty, which causes the 'Forbidden' error in the account console.

s. KEYCLOAK-16682

Since version 12.0.1

Version

18.0.0

Expected behavior

Actual behavior

How to Reproduce?

1. create realm
2. export realm (without group and roles and clients)
3. delete realm
4. import realm

Anything else?

If I export the realm without group and roles, but with clients, delete it and import it again, then the Assigned Scopes for standard clients get initialized, but now they did not get all of their Roles assigned, e.g.:

Expected Roles:

Actual Roles:

[kami619]

@hmlnarik

Apologies on the delay in getting to this issue.

I was able to reproduce part of the issue and can confirm the issue with Roles being truncated from default clients is not reproducible anymore.

Here is the reproduce steps in a video.

Issues resolved: The roles associated with each default client after the export and re-import of the realm are unchanged, which you can also observe in the video.

2022-11-14.20-04-24.mp4

Partial Issue observed: The number of client scopes associated with each default client seems to be reduced to only one client scope after the export and re-import as shown below.

Before:

After:

[ahus1]

Triage result: The partial export via the UI contains the client scopes. During import those client scopes are re-imported, but this doesn't trigger any logic to assign those scopes to the clients.

As the export doesn't contain the clients, it the import can't figure out what to do here, as it doesn't know which client should have which client scope assigned. At the same time the import create some essential clients, but doesn't assign them any client roles.

Similar pattern applies for roles.

To have the clients re-created with the same scopes as in the original realm and with the same roles, create a partial export with roles and clients.

Another way I found is to create a partial export without clients and roles, then manually delete the clientScopes. This will trigger the logic to re-create the client scopes and also assigns them to the clients. In my tests it also setup the client roles as expected.

@hmlnarik - with the behavior of the partial import and export being complex and not documented, I suggest to remove the two options to skip roles/groups and clients, and to always export them.

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.