Fix n+1 queries requesting users on admin api

[sschu]

Description

When fetching users with a brief representation using the admin API, Keycloak eager-loads per-user data with n+1 queries although the fetched data is not actually returned to the client. I would like to remove these n+1 queries and lazy-load this data instead.

I will also provide a PR for this as a basis for discussion.

Discussion

No response

Motivation

We have some customers using the admin api to sync user information into external data stores, e.g. for easier search or extended user data analysis. For this, typically larger page-sizes are used and n+1 queries make up a large part of the processing times of these requests, although the fetched data is not used. Removing these queries would speed up these requests by a large amount.

Details

Keycloak currently emits 2 n+1 queries if the requesting client has manage-users permissions and another query if the requesting client only has view permissions:

1. One query to fetch the credentials of the user since they are automatically loaded when the user is put into the cache using the onCache()-method. That's probably a good idea when the user is actually creating a session, but not when it is only returned via the admin API.
2. One query loading all user attributes. Although only basic attributes (username, first name, last name, etc.) are returned, all user attributes are immediately loaded. This is due to how the new user profile was implemented not making a differentiation on where these basic attributes are stored: the USER_ENTITY or the USER_ATTRIBUTE table.
3. One query requesting the group memberships of a user. There is information in the response on the access information the requesting client has on this user. This is used in the admin console to render EDIT buttons for example. If the requesting client does not have manage-users role on the realm, Keycloak tries to find out whether the client has fine-grained manage permissions on that user due to his group membership - even when fine-grained permissions are not enabled on a realm. This should at least be fixed to only run when fine-grained permissions are enabled. Alternatively, returning this access information can be made optional (breaking change) or suppressible using a parameter (non-breaking but less intuitive/clean) since this information is probably just used in the admin console and not for syncing users to other systems.