Changing a username while keeping the email unchanged leads to 409 conflict

[tobilarscheid]

Current Behavior

1. Create a realm.yaml that contains a user with a name and an email address
2. Run keycloak-config-cli to apply the realm.yaml
3. Change the realm.yaml so that the user's email stays the same but the username is changed
4. Rerun keycloak-config-cli --> error, 409 Conflict

Expected Behavior

A new user with the new name should be created, the old user should disappear

Steps To Reproduce

No response

Environment

• Keycloak Version: 16.0.1
• keycloak-config-cli Version: latest
• Java Version: 11

Anything else?

No response

[jkroepke]

Deleting users is currently not implemented in keycloak-config-cli, only create and update.

Thats why keycloak-config-cli will not delete the old user and the new user has a conflict with the existing user.

[tobilarscheid]

I understand, thanks for the quick reply! Happy to provide a PR if you point me in the right direction.

[jkroepke]

For deleting users, a remote state needs to be implement. Otherwise, Keycloak-config-cli is going to delete all users which is a major incident.

More informations here: https://github.com/adorsys/keycloak-config-cli/blob/main/docs/MANAGED.md

Take a look, how Realm Roles are handled on deletion.

keycloak-config-cli/src/main/java/de/adorsys/keycloak/config/service/RoleImportService.java

Lines 243 to 269 in 1a22b22

	private void deleteRealmRolesMissingInImport(
	String realmName,
	List<RoleRepresentation> importedRoles,
	List<RoleRepresentation> existingRoles
	) {
	if (importConfigProperties.isState()) {
	List<String> realmRolesInState = stateService.getRealmRoles();
	// ignore all object there are not in state
	existingRoles = existingRoles.stream()
	.filter(role -> realmRolesInState.contains(role.getName()))
	.collect(Collectors.toList());
	}
	Set<String> importedRealmRoles = importedRoles.stream()
	.map(RoleRepresentation::getName)
	.collect(Collectors.toSet());
	for (RoleRepresentation existingRole : existingRoles) {
	if (KeycloakUtil.isDefaultRole(existingRole) || importedRealmRoles.contains(existingRole.getName())) {
	continue;
	}
	logger.debug("Delete realm-level role '{}' in realm '{}'", existingRole.getName(), realmName);
	roleRepository.deleteRealmRole(realmName, existingRole);
	}
	}

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[testuser7]

Is there any plan to add the remote state feature?

[tobilarscheid]

Hi @testuser7 (what a name ;-) ), I haven't looked into it so far!

[AssahBismarkabah]

Hi @testuser7

this also closes ticket #810 since the username needs to be uniquely identified,
also setting the --import.remote-state.enable="true" should also be given a trial to see if the issue persist.

[Calebasah]

After testing, I observed that Keycloak uses the username as the unique identifier for users. This causes the following behavior:

• Changing only the username during an import results in a 409 Conflict.
• Changing the username along with other attributes creates a new user without deleting the old one because purging users isn’t supported
  by keycloak-config-cli.

Recommendation:

• Consider enabling Edit Username in the realm settings.
• Explore alternative identifiers like email for user matching during imports.

[Motouom]

hi @tobilarscheid and @Calebasah,

This ticket has been resolved following the implementation of the editUsernameAllowed substitution, as referenced in issue #810.