Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8281

Deletion of client and users with token exchange policy leads to breaking errors

    XMLWordPrintable

    Details

    • Sprint:
      Keycloak Sprint 12
    • Story Points:
      1
    • Steps to Reproduce:
      Hide

      1) Turn on token exchange:

      • Create a new client "test"
      • Turn on Permissions
      • Click on token exchange
      • Create Client policy for token exchange permission
      • Add client "test" to this client policy

      2) Create another client with same token exchange policy "test 2", both clients should be present in policy

      3) Delete a client "test"
      4) Go back to the same permission, results in 404 on Keycloak Admin console
      5) Token exchange for "test 2" is broken and results in

      {"error":"access_denied","error_description":"Client not allowed to exchange"}
      Show
      1) Turn on token exchange: Create a new client "test" Turn on Permissions Click on token exchange Create Client policy for token exchange permission Add client "test" to this client policy 2) Create another client with same token exchange policy "test 2", both clients should be present in policy 3) Delete a client "test" 4) Go back to the same permission, results in 404 on Keycloak Admin console 5) Token exchange for "test 2" is broken and results in {"error":"access_denied","error_description":"Client not allowed to exchange"}
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      See steps to reproduce of this issue.
      This is critical as affects token exchange of other clients.

      Dirty workaround to fix:
      1) Go to Admin console, check in browser Inspector which client id is returning 404, take note of UUID
      2) Connect to Keycloak database
      3) In table "policy_config" find this UUID for the policy which is broken
      4) Restart all Keycloak instances in order to clear the cache

      Some of the error logs from server:

      (default task-28) Failed to run permission check: java.lang.NullPointerException\n\tat org.keycloak.authorization.policy.provider.client.ClientPolicyProvider.evaluate(ClientPolicyProvider.java:32)

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                pcraveiro Pedro Igor
                Reporter:
                yuriy.yunikov Yuriy Yunikov
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: