Do not regenerate the secret key when the size is not explicitly passed

Closes #42405 Signed-off-by: rmartinc <rmartinc@redhat.com> (cherry picked from commit 605b51905ca9d991e1656ab875fec22840289761)
2026-01-09 23:12:06 -03:30 · 2025-09-12 17:24:26 +02:00 · 2025-09-12 17:24:26 +02:00 · 9aa21097e2
commit 9aa21097e2
parent a775ed3ecb
2 changed files with 23 additions and 9 deletions
--- a/services/src/main/java/org/keycloak/keys/AbstractGeneratedSecretKeyProviderFactory.java
+++ b/services/src/main/java/org/keycloak/keys/AbstractGeneratedSecretKeyProviderFactory.java
@ -37,16 +37,18 @@ public abstract class AbstractGeneratedSecretKeyProviderFactory<T extends KeyPro
        ConfigurationValidationHelper validation = SecretKeyProviderUtils.validateConfiguration(model);
        validation.checkList(Attributes.SECRET_SIZE_PROPERTY, false);

-        int size = model.get(Attributes.SECRET_SIZE_KEY, getDefaultKeySize());
-
        if (!(model.contains(Attributes.SECRET_KEY))) {
+            int size = model.get(Attributes.SECRET_SIZE_KEY, getDefaultKeySize());
            generateSecret(model, size);
            logger().debugv("Generated secret for {0}", realm.getName());
        } else {
            int currentSize = Base64Url.decode(model.get(Attributes.SECRET_KEY)).length;
+            int size = model.get(Attributes.SECRET_SIZE_KEY, currentSize);
            if (currentSize != size) {
                generateSecret(model, size);
                logger().debugv("Secret size changed, generating new secret for {0}", realm.getName());
+            } else if (model.get(Attributes.SECRET_SIZE_KEY) == null && currentSize != getDefaultKeySize()) {
+                model.put(Attributes.SECRET_SIZE_KEY, currentSize);
            }
        }
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/GeneratedHmacKeyProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/GeneratedHmacKeyProviderTest.java
@ -141,19 +141,31 @@ public class GeneratedHmacKeyProviderTest extends AbstractKeycloakTest {
        rep.setConfig(new MultivaluedHashMap<>());
        rep.getConfig().putSingle("priority", Long.toString(priority));

-        Response response = adminClient.realm("test").components().add(rep);
-        String id = ApiUtil.getCreatedId(response);
-        response.close();
+        try (Response response = adminClient.realm("test").components().add(rep)) {
+            rep.setId(ApiUtil.getCreatedId(response));
+        }

-        ComponentRepresentation component = testingClient.server("test").fetch(RunHelpers.internalComponent(id));
+        ComponentRepresentation component = testingClient.server("test").fetch(RunHelpers.internalComponent(rep.getId()));
        assertEquals(GeneratedHmacKeyProviderFactory.DEFAULT_HMAC_KEY_SIZE, Base64Url.decode(component.getConfig().getFirst("secret")).length);

-        ComponentRepresentation createdRep = adminClient.realm("test").components().component(id).toRepresentation();
+        ComponentRepresentation createdRep = adminClient.realm("test").components().component(rep.getId()).toRepresentation();
        createdRep.getConfig().putSingle("secretSize", "512");
-        adminClient.realm("test").components().component(id).update(createdRep);
+        adminClient.realm("test").components().component(rep.getId()).update(createdRep);

-        component = testingClient.server("test").fetch(RunHelpers.internalComponent(id));
+        component = testingClient.server("test").fetch(RunHelpers.internalComponent(rep.getId()));
        assertEquals(512, Base64Url.decode(component.getConfig().getFirst("secret")).length);
+        component = testingClient.server("test").fetch(RunHelpers.internalComponent(rep.getId()));
+        String secret = component.getConfig().getFirst("secret");
+
+        createdRep = adminClient.realm("test").components().component(rep.getId()).toRepresentation();
+        createdRep.getConfig().putSingle("secretSize", "");
+        adminClient.realm("test").components().component(rep.getId()).update(createdRep);
+
+        component = testingClient.server("test").fetch(RunHelpers.internalComponent(rep.getId()));
+        assertEquals("512", component.getConfig().getFirst("secretSize"));
+        assertEquals(512, Base64Url.decode(component.getConfig().getFirst("secret")).length);
+        component = testingClient.server("test").fetch(RunHelpers.internalComponent(rep.getId()));
+        assertEquals(secret, component.getConfig().getFirst("secret"));
    }

    @Test