Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

login/ui

Describe the bug

If you define a custom attribute, that the user can not edit himself and also give it a default value, then the user can't login via SSO. He always lands on the Review Profile Page and can't get any further.

Version

26.4.7

Regression

• The issue is a regression

Expected behavior

When I set a custom attribute with default value, I expect it to be set when user is created via SSO without interference and have the defaul value.

Actual behavior

Users can not get through the login process anymore if default is set.

How to Reproduce?

• Configure a realm-attribute like this:

 {
    "name": "usertype",
    "displayName": "Usertype",
    "permissions": {
      "edit": [
        "admin"
      ],
      "view": [
        "admin",
        "user"
      ]
    },
    "multivalued": false,
    "annotations": {
      "inputType": "select-radiobuttons"
    },
    "validations": {
      "options": {
        "min": "",
        "max": "",
        "options": [
          "daily",
          "power"
        ]
      }
    },
    "defaultValue": "daily"
}

• Setup an OIDC Identity Provider at will with first-broker-flow.
• Login via SSO.
• You now see the /realms/.../login-actions/required-action?execution=VERIFY_PROFILE Page and can't do anything, since users are not allowed to edit the attribute and the default is not respected during user-creation.

Anything else?

The following changes are workarounds, but don't fullfill the intended use:

• Leave the default blank and handle the value being undefined in Application itself
• Allow user to edit the attribute (Then the VERIFY_PROFILE page does not show up)
• Add a hardcoded mapper to the Identity Provider setting the attribute.