Removing all group attributes no longer works with keycloak-admin-client (java)

[danielFesenmeyer]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/client/java

Describe the bug

With Keycloak 22.x and previous versions, it was possible to remove all group attributes like this:

var group = groupResource.toRepresentation();
group.setAttributes(Collections.emptyMap());
groupResource.update(group);

This does no longer work with Keycloak 23.0.3. The group attributes remain unchanged.

Version

23.0.3

Expected behavior

All group attributes should be removed.

Actual behavior

The group attribues remain unchanged.

How to Reproduce?

See example code in the description.

Anything else?

Seems this has been introduced by this commit: #22700.
Because there is now this annotation on GroupRepresentation
@JsonInclude(JsonInclude.Include.NON_EMPTY)

This annotation causes the empty attributes not to be included in the request, and being ignored on the server, because the server removes attributes only when they are empty, not null.

[mposolda]

Adding both areas admin/api and storage as it is possible that this is related to both storage and admin REST API.

And marking as critical for now until we investigate what is going on.

[mposolda]

I am unmarking as critical and marking as important . We may try to fix in Keycloak 24 if we have time, but probably not strictly a blocker. Not 100% sure, but it seems the issue is not on the server-side, but just in the java admin client.

When testing with the admin console with the scenario like this:

• Go to some group in the admin console UI
• Add attribute foo to the group and update group
• Remove attribute foo (so the group does not have any attributes) and update group
• Now the admin console send the HTTP PUT request with the group JSON with the attributes like "attributes": {} . On the server-side (in GroupResource.updateGroup() ), the group has attributes set as empty map, which causes attributes field to update correctly and existing attributes are removed from the group.

On the other hand, when testing with admin client, then the group in the GroupResource.updateGroup() has attributes set as null, which means existing attributes are not removed.

@danielFesenmeyer If you have a chance to send PR for this, it would be welcome.

[danielFesenmeyer]

@mposolda OK, I've just started working on it.

[mposolda]

@danielFesenmeyer Feel free to send PR also to release/23.0 if you want to have this in Keycloak 23.0.4 release. Please see https://github.com/keycloak/keycloak/blob/main/.github/scripts/pr-backport.sh for easily allow to create backporting PRs.

[danielFesenmeyer]

@mposolda Created a PR for release/23.0: #26030