mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2025-12-21 06:20:05 -06:00
Code Issues Packages Projects Releases Wiki Activity

Skip update email required action if email attribute is not writable

Browse Source 
Closes #41035

Signed-off-by: Martin Kanis <mkanis@redhat.com>
This commit is contained in:
Martin Kanis
2025-08-08 11:45:54 +02:00
committed by Pedro Igor
parent 71cd3d5d2f
commit 6a77072098
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
services/src/main/java/org/keycloak/authentication/requiredactions/UpdateEmail.java
View File

@@ -123,6 +123,14 @@ public class UpdateEmail implements RequiredActionProvider, RequiredActionFactor
if (isEnabled(context.getRealm())) {
KeycloakSession session = context.getSession();
// skip and clear UPDATE_EMAIL required action if email is readonly
UserProfileProvider profileProvider = context.getSession().getProvider(UserProfileProvider.class);
UserProfile profile = profileProvider.create(UserProfileContext.UPDATE_EMAIL, context.getUser());
if (profile.getAttributes().isReadOnly(UserModel.EMAIL)) {
context.getUser().removeRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
return;
}
if (session.getAttributeOrDefault(FORCE_EMAIL_VERIFICATION, Boolean.FALSE)) {
sendEmailUpdateConfirmation(context, false);
return;

33
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/RequiredActionUpdateEmailTest.java
View File

@@ -18,13 +18,17 @@ package org.keycloak.testsuite.actions;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.keycloak.userprofile.UserProfileConstants.ROLE_USER;
import static org.keycloak.userprofile.UserProfileConstants.ROLE_ADMIN;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.UserProfileResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.events.Details;
import org.keycloak.events.EventType;
@@ -32,6 +36,9 @@ import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.representations.userprofile.config.UPAttribute;
import org.keycloak.representations.userprofile.config.UPAttributePermissions;
import org.keycloak.representations.userprofile.config.UPConfig;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.util.oauth.OAuthClient;
@@ -102,4 +109,30 @@ public class RequiredActionUpdateEmailTest extends AbstractRequiredActionUpdateE
public void updateEmailLogoutSessionsNotChecked() {
updateEmail(false);
}
@Test
public void updateEmailRequiredActionWhenEmailIsReadonly() {
UserProfileResource userProfile = testRealm().users().userProfile();
UPConfig upConfigOld = userProfile.getConfiguration();
UPConfig upConfig = userProfile.getConfiguration();
upConfig.addOrReplaceAttribute((new UPAttribute(UserModel.EMAIL, new UPAttributePermissions(Set.of(ROLE_USER, ROLE_ADMIN), Set.of(ROLE_ADMIN)))));
getCleanup().addCleanup(() -> {
userProfile.update(upConfigOld);
});
userProfile.update(upConfig);
configureRequiredActionsToUser("test-user@localhost", UserModel.RequiredAction.UPDATE_EMAIL.name());
UserResource testUser = testRealm().users().get(findUser("test-user@localhost").getId());
assertEquals(1, testUser.toRepresentation().getRequiredActions().size());
loginPage.open();
loginPage.login("test-user@localhost", "password");
// UPDATE_EMAIL required action is skipped and cleared
appPage.assertCurrent();
assertEquals(0, testUser.toRepresentation().getRequiredActions().size());
}
}