Conditional user attribute authenticator misfunction

[gilvansfilho]

Describe the bug

Conditional user attribute authenticator are a bit confusing.

The docs say: This checks if the user has set up the required attribute. There is a possibility to negate output, which means the user should not have the attribute. but help text says Flow is executed only if the user attribute exists and has the expected value.

So what is correct expected behavior? Once there is a config to set expected attribute value I think the way this should work is:

• if user dont have the specified attribute the conditional should always evaluate to false regardless of the value negate checkbox
• if user have the specified attribute AND expected value are equals of user attribute value the conditional should evaluate to true except if negate are true
• if user have the specified attribute AND expected value are not equals of user attribute value the conditional should evaluate to false except if negate are true

However for this works properly Expected attribute value must be mandatory and today that do not is.

Following scenario illustrate better the problem:

• "foo" as user attribute (Attribute name)
• "" as expected value (Expected attribute value)
• false as Negate output
• user have "foo" attribute with "bar" value

If server admin are trying to validate if user has "foo" attribute with value equals to "" this will work as expected evaluating to false as "bar" != "" but otherwise if server admin are trying to validate only if user has "foo" attribute regardless their value this will not work as expected (expected true but evaluated to false)

Version

19.0.3

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

[gilvansfilho]

I want to work on it after correct behavior are defined.

[mposolda]

Thanks for the report, but unfortunately due the amount of other reported issues and other priorities, Keycloak team does not have time to properly triage this bug. So preliminary added to Backlog for now.
It will be helpful if:

• You can verify if still applicable in latest Keycloak released version. If not, then it is welcome to close this issue.
• If you figure that this may not be a valid bug (for example just a mistake in configuration etc), it will be also welcome to close this issue
• If still applicable in latest version, it will be welcome to add the comment as well, that this was still reproduced with latest Keycloak version as it is very valuable info. Anyone is welcome to comment with this or add other relevant comments to this issue.

[rmartinc]

Hi @gilvansfilho!

The code for the user condition is here. I think you are right and maybe the condition can check first if attributeName and attributeValue are defined, if they are not, just return false (it's bad configured). I also agree that the Attribute name and the Expected attribute value should be compulsory in the configuration (if the admin wants to configure any value, he/she can use a regex). Feel free to tune any text if you think they are misleading.

Very sorry for commenting so late. I'm adding the help wanted and moving the issue to backlog for now.

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.

[gilvansfilho]

Change behaviour of that authenticator could lead to unexpected behaviour for ones which already use so I was thinking if is not better to deprecate that and create a new one with enhanced behaviour?

WDYT @rmartinc ?