User assigned roles don't reflect changes

[vladimirblahoz]

When user.keycloak.crossplane.io/v1alpha1/Roles resource is created using roleIdRefs attribute to populate the Role mapping for the user, it translates the roleIdRefs for Keycloak role's IDs into roleIds. This field seems to be decisive in terms of which roles are actually mapped to the user. This "translation" of refs into Ids, however, seems to be happening only during the creation of the resource. Once the list of the roles is changed (even if say one role is deleted), the roleIds field seems unaffected and nothing happens in Keycloak.

Not to mention that if for some reason a role is deleted from keycloak and crossplane recreates it during reconciliation, the role is recreated with a brand new ID which causes all this role assignments to become detached from the real resources.

[vladimirblahoz]

We have finally found the solution for the default behavior.
If anyone else bumps into the same issue, all "*Ref" attributes have an option to set

policy:
  resolve: Always

Which does exactly what you might expect. Sorry for bothering with not-a-bug. Although the default behavior is a bit unintuitive.