Can not get through SSO login if using a custom attribute with default value

Closes #44785 Signed-off-by: Martin Kanis <mkanis@redhat.com>
2026-01-10 15:32:05 -03:30 · 2025-12-16 14:11:02 +01:00 · 2025-12-16 14:11:02 +01:00 · a9a89005fa
commit a9a89005fa
parent 17f0dbdc1c
2 changed files with 45 additions and 0 deletions
--- a/services/src/main/java/org/keycloak/userprofile/validator/ImmutableAttributeValidator.java
+++ b/services/src/main/java/org/keycloak/userprofile/validator/ImmutableAttributeValidator.java
@ -74,6 +74,12 @@ public class ImmutableAttributeValidator implements SimpleValidator {
                return context;
            }

+            // Allow default values for read-only attributes during first login when the attribute is empty
+            // and the new value matches the configured default value
+            if (currentValue.isEmpty() && isDefaultValueApplied(attributeContext, values)) {
+                return context;
+            }
+
            RealmModel realm = ac.getSession().getContext().getRealm();

            if (realm.isRegistrationEmailAsUsername()) {
@ -99,4 +105,18 @@ public class ImmutableAttributeValidator implements SimpleValidator {
    private boolean isReadOnly(AttributeContext attributeContext) {
        return attributeContext.getMetadata().isReadOnly(attributeContext);
    }
+    
+    /**
+     * Check if the attribute value matches the configured default value.
+     */
+    private boolean isDefaultValueApplied(AttributeContext attributeContext, List<String> values) {
+        // Check if the attribute has a configured default value
+        String defaultValue = attributeContext.getMetadata().getDefaultValue();
+        if (defaultValue == null) {
+            return false;
+        }
+        
+        // Check if the current values match exactly what we'd expect from the default value
+        return collectionEquals(values, List.of(defaultValue));
+    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcFirstBrokerLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcFirstBrokerLoginTest.java
@ -986,4 +986,29 @@ public class KcOidcFirstBrokerLoginTest extends AbstractFirstBrokerLoginTest {
    private RealmResource testRealm() {
        return adminClient.realm(bc.consumerRealmName());
    }
+
+    @Test
+    public void testSsoLoginWithCustomAttributeWithDefaultValue() {
+        updateExecutions(AbstractBrokerTest::enableUpdateProfileOnFirstLogin);
+
+        String userProfileConfig = "{\"attributes\": ["
+                + "{\"name\": \"email\"," + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"firstName\"," + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"lastName\"," + PERMISSIONS_ALL + "},"
+                + "{\"name\": \"usertype\", \"defaultValue\": \"daily\", " + PERMISSIONS_ADMIN_EDITABLE + "}"
+                + "]}";
+        setUserProfileConfiguration(userProfileConfig);
+
+        oauth.clientId("broker-app");
+        loginPage.open(bc.consumerRealmName());
+
+        logInWithBroker(bc);
+
+        waitForPage(driver, "update account information", false);
+        Assert.assertTrue("Should be on update profile page", updateAccountInformationPage.isCurrent());
+
+        updateAccountInformationPage.updateAccountInformation("Test", "User");
+
+        Assert.assertTrue("User should be logged in successfully after profile update", appPage.isCurrent());
+    }
 }