Admin Console: Realm Dropdown should only show the realms the user has access to

[antikalk]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/ui

Describe the bug

Follow up of discussion: #25342

Basically when accessing a realm specific admin console the user sees all the realms available on the keycloak instance, even though the user does not have access to those.

This seems to be a regression with version 23, as this was not the case with v22 and prior.

Version

23.0.1

Expected behavior

Admin should only see the realms he has access to. For non-master realm admin consoles there might not be a dropdown necessary at all (as only master realm admins can have cross realm permissions afaik).

Actual behavior

In the realm specific admin console the admin can see all realms available on the keycloak instance. Even the once he does not have access to.

How to Reproduce?

1. Create multiple realms
2. Create an admin user for a non-master realm
3. Sign in the non-master realm specific admin console as that admin user

Anything else?

Looks like the newly introduced endpoint for listing the realms for the dropdown does not filter on the user permissions at all:

keycloak/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java

Lines 48 to 51 in 925c557

	public Stream<String> getRealmNames() {
	Stream<String> realms = session.realms().getRealmsStream().filter(Objects::nonNull).map(RealmModel::getName);
	return throwIfEmpty(realms, new ForbiddenException());
	}

[ssilvert]

I have reproduced this.

[jonkoops]

@hmlnarik this seems like a candidate for a v23 backport, WDYT?

[hmlnarik]

@jonkoops Indeed, I updated labels on PR rather than the issue :) PR for 23.0 is here: #25845

[hardoverflow]

When will 23.0.5 or the backports be released?

[Footur]

Shouldn't a CVE ID be requested for this?