Unable to remove Authorization tab from master-realm client

[hmlnarik]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

Once permissions are enabled on a role, the master-client shows Authorization tab (since the authorizationServicesEnabled flag is enabled in respective ClientRepresentation). Disabling the permissions in the role however has no impact on the authorizationServicesEnabled flag which remains true with no way to switch it to false, even if there is now no object for which permissions are enabled.

Version

main

Regression

• The issue is a regression

Expected behavior

When no permissions are enabled, the authorizationServicesEnabled is false.

Actual behavior

When no permissions are enabled, the authorizationServicesEnabled remains true if previously enabled.

How to Reproduce?

1. Go to master-realm client and check there is no Authorization tab (its visibility is controlled by authorizationServicesEnabled flag)
2. Create a new role in master realm
3. In the role detail, enable permissions
4. Go to master-realm client and check there is now Authorization tab displayed
5. Back in the role detail, disable permissions
6. Go to master-realm client and check the Authorization tab is still displayed

Anything else?

This caused #29440.

Similar (if not the exactly the same) issue is #29423

[sschu]

Is this the same as #29423?

[hmlnarik]

@sschu Yes. I am keeping this open and closing the other since this is not a UI but core issue that manifests itself on UI.

[Jamstah]

I feel like it may be a UI bug - why is the tab not just always shown, and just doesn't show data if there is none to show?

The link between the tab showing and the functionality being enabled seems weak to me - it depends on things outside of the master-realm client itself.

[hmlnarik]

@Jamstah Authorization tab is meaningless for clients unused for authorization. Hence the tab should not be visible. UI has not enough information to decide whether permissions are enabled for a particular client, this data is available in the server though. Authz applicability is signalled to the UI using the authorizationServicesEnabled flag which is correctly respected by the UI - hence UI behaves correctly. Thus this is a core issue.

[Jamstah]

I'm not sure I completely agree, I don't think the UX of the master realm client should change depending on the configuration of other clients.

I do agree that there is a core bug!

However, as long as it isn't impacting the tests, I'm not going to worry about it :)

[pedroigor]

The way fine-grained admin works, the authz settings are stored within the realm management client. That is why enabling permissions on any client ends up showing this tab at the realm management client. If you are in the master realm, the master-realm client is used instead.

Disabling permissions does not disable the flag in the client itself but only removes the authz-related data associated with users, roles, clients, groups, etc.

We can improve so I'm adding priority normal and adding to our backlog. We have plans to review fine-grained admin in the future so we can handle this one at that time.

Please, let me know if you think otherwise.

[keycloak-github-bot]

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.