Respect authorizationSettings when updating a client via Admin REST API

[kereis]

Description

When creating a new Keycloak client with a ClientRepresentation containing authorizationSettingsEnabled: true and authorizationSettings, Keycloak respects these fields and maps them to their corresponding JPA fields.

When creating a new Keycloak client without the former fields and then updating it afterwards with the authorizationSettings* fields, Keycloak simply creates a authorization service with default resources instead of the ones that are provided by ClientRepresentation of the request.

Keycloak should respect authorizationSettings when updating existing clients if they are provided, or else create default resources instead.

Discussion

No response

Motivation

I would have expected Keycloak to apply the provided authorizationSettings when updating an existing client. This use case can be crucial for e. g. Keycloak Operator when specifying authorizationSettings in Client CRs whose Keycloak Clients already exist in Keycloak and just need updates.

Details

I scanned through org.keycloak.services.resources.admin.ClientsResource#createClient, org.keycloak.services.resources.admin.ClientResource#update and org.keycloak.authorization.admin.ResourceServerService#create.

ResourceServer#create simply creates a new authorization resource server with default credentials.

keycloak/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java

Lines 84 to 88 in dc2c73b

	if (this.resourceServer == null) {
	this.resourceServer = RepresentationToModel.createResourceServer(client, session, true);
	createDefaultPermission(createDefaultResource(), createDefaultPolicy());
	audit(ModelToRepresentation.toRepresentation(resourceServer, client), OperationType.CREATE, session.getContext().getUri(), newClient);
	}

I imagine that Keycloak can update the ResourceServer of the client's authorization service in a similar fashion like when a client is created in org.keycloak.services.resources.admin.ClientsResource#createClient

keycloak/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java

Lines 188 to 198 in dc2c73b

	if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION) && TRUE.equals(rep.getAuthorizationServicesEnabled())) {
	AuthorizationService authorizationService = getAuthorizationService(clientModel);
	authorizationService.enable(true);
	ResourceServerRepresentation authorizationSettings = rep.getAuthorizationSettings();
	if (authorizationSettings != null) {
	authorizationService.getResourceServerService().importSettings(authorizationSettings);
	}
	}

or call ResourceServerService#update after creating a new ResourceService for authorization purposes.

keycloak/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java

Lines 96 to 103 in dc2c73b

	public Response update(ResourceServerRepresentation server) {
	this.auth.realm().requireManageAuthorization();
	this.resourceServer.setAllowRemoteResourceManagement(server.isAllowRemoteResourceManagement());
	this.resourceServer.setPolicyEnforcementMode(server.getPolicyEnforcementMode());
	this.resourceServer.setDecisionStrategy(server.getDecisionStrategy());
	audit(ModelToRepresentation.toRepresentation(resourceServer, client), OperationType.UPDATE, session.getContext().getUri(), false);
	return Response.noContent().build();
	}