Error adding clientRoles to a user

[Tijs-2]

Describe the bug
When I rollout a user with clientRoles the operator gives an error and cannot add the roles to the user.
When I then manually add the roles to the user it says that the sync is ok. So it detects the added client roles.

To Reproduce
Add the following user

apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealmUser
metadata:
  name: user
spec:
  realmRef:
    name: realm
    kind: KeycloakRealm
  username: user
  firstName: "User"
  lastName: "Name"
  email: "user@example.com"
  enabled: true
  emailVerified: true
  keepResource: true
  clientRoles:
    - clientId: "realm-management"
      roles:
        - view-users
        - query-users
  roles:
    - offline_access

What did you expect to see?

I would expect to see the clientRoles attached automatically.

What did you see instead? Under which circumstances?

I get the following error in the KeycloakRealmUser:
Value: unable to sync realm user: unable to sync user client roles: error during syncOneEntityClientRole: unable to add realm role to entity, realm: life-and-beyond-dev, clientID: 1289ca2f-9507-4cea-a0dd-c0d32df02c12, entityID: 8a8eaf28-9b01-4eb6-9269-f48874c89848: 403 Forbidden: HTTP 403 Forbidden

Operator version:
Operator: 1.29
Keycloak: 26.4.2

[Tijs-2]

I just found out that the same counts for KeycloakRealmRole:

apiVersion: v1.edp.epam.com/v1
kind: KeycloakRealmRole
metadata:
  name: clientRoles
spec:
  realmRef:
    name: realm
    kind: KeycloakRealm
  name: clientRoles
  composite: true
  compositesClientRoles:
    realm-management:
      - name: view-users
      - name: query-users

I get the following error unable to put role: unable to sync realm role CR: error during createOrUpdateRealmRole: unable to add realm role composite roles: 403 Forbidden: HTTP 403 Forbidden but this one does not get created at all so cannot custom add the clientroles.

[zmotso]

@Tijs-2, Please check if your user, which you use for access to the Keycloak instance, has access to create roles.
For example, we use an admin user for e2e tests.
https://github.com/epam/edp-keycloak-operator/blob/master/tests/e2e/helm-success-path/01-install-keycloak-server.yaml#L72-L76
And roles are created successfully.
https://github.com/epam/edp-keycloak-operator/blob/master/tests/e2e/helm-success-path/08-assert-role.yaml#L13

[Tijs-2]

Thank you for your answer.

Well I use an account that has in the master realm the create-realm role.
Than that user created the realm using the operator. So I would expect that it has all the rights in the newly created realm to add the roles. I also checked if I can give the user more rights but only the impersonation is left for the new Realm for that account.

I did see in your link that this image is used: quay.io/keycloak/keycloak:26.3 so could it be a version difference, because I run keycloak 26.4.

[zmotso]

@Tijs-2 Assign admin realm role to the user, and the error will be fixed. With the role create-realm, I have the same issue.

[Tijs-2]

Ah yes you are correct, when I add the admin role to the user it works, but then it is an admin on all the realms right?
While it should only be on the realm it created. So maybe this is not an error in the operator but could it be an issue in keycloak itself?

So thinking along that I logged in manually using the account that I use for the operator.
Created a realm role, which was created, then tried to add view-clients with client id realm-management and I got an access denied.
When I assign the role manage-account from the client id account to he newly created realm role all is well and the role is added.

So this makes it more likely that there is something weird going on at keycloaks site and less on the side of the operator.

[Tijs-2]

I created a ticket at the Keycloak's repository: keycloak/keycloak#44385

Hopefully I get a response there.