Skip to content

🐛 keycloak: Subgroups imports not working cause Keycloak >26.4.0 restrict the use of the server info endpoint #6065

New issue
New issue
Open
Open
🐛 keycloak: Subgroups imports not working cause Keycloak >26.4.0 restrict the use of the server info endpoint#6065
Labels
bugSomething isn't workingworkspace/keycloak
@gerritc

Description

@gerritc
gerritc
opened on Nov 17, 2025

Workspace

keycloak

📜 Description

Starting with Keycloak 26.4.0 the serverinfo endpoints stopped serving the systemInfo containing the Keycloak version which is used to determine the mechanism for loading the subgroups.

From the Release Notes:

The serverinfo endpoint only returns the system info for administrators in the administrator realm
Starting with this version, the serverinfo endpoint, which is used by the admin console to obtain some general information of the Keycloak installation, will only return the system information for administrators in the administration (master) realm. This change was done for security reasons.
If, for whatever reason, an administrator in a common realm needs to access the systemInfo, cpuInfo or memoryInfo fields of the serverinfo response, you need to create and assign a new view-system role to that admin user:
In the affected realm, select the management client realm-management, and, in the Roles tab, create a new role called view-system.
In Users select the administrator account, and, in the Role mapping tab, assign the just created view-system client role to the admin user.
The previous workaround is marked as deprecated and it can be removed in a future version of Keycloak.

👍 Expected behavior

The subgroups are loaded as expected over the API added by Keycloak 23.

👎 Actual Behavior with Screenshots

The subgroups are not loaded, cause the current switch for the loading mechanism used the Keycloak version which is now not available.

👟 Reproduction steps

  1. Add multiple subgroups in Keycloak
  2. Start Backstage
  3. Only the root groups are available, subgroups are not shown

The problem is that Keycloak > 26.4.0 removed the systeminfo from the serverinfo endpoint and without that the current switch which selects the used API methods to receive the subgroups use always the API for Keycloak versions < 23.

community-plugins/workspaces/keycloak/plugins/catalog-backend-module-keycloak/src/lib/read.ts

Lines 294 to 322 in 8d37a31

try {
await ensureTokenValid(client, config, logger);
const serverInfo = await client.serverInfo.find();
serverVersion = parseInt(
serverInfo.systemInfo?.version?.slice(0, 2) || '',
10,
);
} catch (error) {
throw new Error(`Failed to retrieve Keycloak server information: ${error}`);
}
const isVersion23orHigher = serverVersion >= 23;
let rawKGroups: GroupRepresentationWithParent[] = [];
logger.debug(`Processing groups recursively`);
if (isVersion23orHigher) {
rawKGroups = await processGroupsRecursively(
client,
config,
logger,
topLevelKGroups,
);
} else {
rawKGroups = topLevelKGroups.reduce(
(acc, g) => acc.concat(...traverseGroups(g)),
[] as GroupRepresentationWithParent[],
);
}

📃 Provide the context for the Bug.

No response

👀 Have you spent some time to check if this bug has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

None

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingworkspace/keycloak

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions