New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditional user attribute authenticator misfunction #14837
Comments
I want to work on it after correct behavior are defined. |
Thanks for the report, but unfortunately due the amount of other reported issues and other priorities, Keycloak team does not have time to properly triage this bug. So preliminary added to Backlog for now.
|
Hi @gilvansfilho! The code for the user condition is here. I think you are right and maybe the condition can check first if Very sorry for commenting so late. I'm adding the help wanted and moving the issue to backlog for now. |
Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment. If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue. |
Change behaviour of that authenticator could lead to unexpected behaviour for ones which already use so I was thinking if is not better to deprecate that and create a new one with enhanced behaviour? WDYT @rmartinc ? |
Describe the bug
Conditional user attribute authenticator are a bit confusing.
The docs say:
This checks if the user has set up the required attribute. There is a possibility to negate output, which means the user should not have the attribute.
but help text saysFlow is executed only if the user attribute exists and has the expected value
.So what is correct expected behavior? Once there is a config to set expected attribute value I think the way this should work is:
false
regardless of the valuenegate
checkboxtrue
except ifnegate
aretrue
false
except ifnegate
aretrue
However for this works properly
Expected attribute value
must be mandatory and today that do not is.Following scenario illustrate better the problem:
user attribute
(Attribute name)expected value
(Expected attribute value)Negate output
If server admin are trying to validate if user has "foo" attribute with value equals to "" this will work as expected evaluating to
false
as "bar" != "" but otherwise if server admin are trying to validate only if user has "foo" attribute regardless their value this will not work as expected (expectedtrue
but evaluated tofalse
)Version
19.0.3
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: