KEYCLOAK-17252 applying 'Aggregate attribute values' mapper option to group hierarchy

[Jurjan-Paul Medema]

Hello Keycloak Developers,

After posting the KEYCLOAK-17252 issue a couple of weeks ago, we have now prepared a small PR that fixes the aggregation of multivalued group attributes over subgroup relations: https://github.com/keycloak/keycloak/pull/7871

According to the community guidelines we probably should have discussed this here first, but we do hope that you will consider the PR an improvement like we do. :-)

The issue states the problem with a reproduction scenario and the PR description goes deeper into our functional motivation for wanting this fix.

Feedback is very welcome of course!

Thank you very much! With kind regards,

Jurjan-Paul Medema

Mediquest

P.S. Two timeouts blocked the CI tests from succeeding, failing tests that succeed on my local machine. I really don't see any relation with the PR itself and found a similar timeout issue in another recent PR. How do we best deal with this?

[Jurjan-Paul Medema]

Hello Keycloak developers,

We would like to know if there are any steps we can take to generate some interest in our PR https://github.com/keycloak/keycloak/pull/7871 to fix https://issues.redhat.com/browse/KEYCLOAK-17252.

We totally understand that you guys are busy with your own backlog(s), but some (initial) feedback for this relatively simple fix would be much appreciated!

The PR deals with an inconsistency in the current application of the 'User Attribute' mapper's "Aggregate attribute values" option.

Currently (without the PR) the 'Aggregate attribute values' option already applies to one inheritance relation (as mentioned in https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/groups.html): between a user and the group(s) (s)he is a member of, but it does not apply to the other inheritance relation mentioned on that page: the one between a subgroup and its parent group.

The PR extends the attribute aggregation to the inheritance relation between a subgroup and its parent group.

This makes for a more consistent conceptual model, which is reflected in the simplicity of the code needed.
(In the PR we describe the specific use case for which the current lack of attribute aggregation over subgroup relations took us by surprise.)

Please review! Feedback is much appreciated, also if just to say that we need to have more patience! :-)

Thank you very much!

Jurjan-Paul Medema

Mediquest

Op ma 22 mrt. 2021 om 10:27 schreef Jurjan-Paul Medema <jme...@mediquest.nl>: