Fix matchRole lookup to include group-inherited and composite roles (#25)
All checks were successful
/ Verify (push) Successful in 48s

getRoleMembersStream only returns users with the role assigned
directly, so exported attributes silently excluded users who have
matchRole via group membership. Filter all realm users with
hasRole() instead, matching the resolution already used for authRole.

Closes #20

Reviewed-on: #25
This commit is contained in:
Stefan Bethke 2026-07-18 14:14:44 +02:00 committed by stb
commit dfd10b16dc

View file

@ -2,6 +2,7 @@ package de.ccc.hamburg.keycloak.attribute_endpoints;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
@ -118,7 +119,8 @@ public class AttributeEndpointsResourceProvider implements RealmResourceProvider
.toList();
UserProvider userProvider = session.users();
Stream<UserModel> users = userProvider.getRoleMembersStream(realm, matchRole);
Stream<UserModel> users = userProvider.searchForUserStream(realm, Map.of())
.filter(user -> user.hasRole(matchRole));
List<String> attribute_list = users
.map(user -> {