Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent

Keycloak CI - Store Model Tests

java.util.ConcurrentModificationException: java.util.ConcurrentModificationException
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
	at java.base/java.util.concurrent.ForkJoinTask.getThrowableException(ForkJoinTask.java:540)
...

Report flaky test

org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent

Keycloak CI - Store Model Tests

java.util.ConcurrentModificationException: java.util.ConcurrentModificationException
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
	at java.base/java.util.concurrent.ForkJoinTask.getThrowableException(ForkJoinTask.java:540)
...

Report flaky test

org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent

Keycloak CI - Store Model Tests

java.util.ConcurrentModificationException: java.util.ConcurrentModificationException
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
	at java.base/java.util.concurrent.ForkJoinTask.getThrowableException(ForkJoinTask.java:540)
...

Report flaky test

BTW, Adapter IT failed, rerunning that job.

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.LoginHotpTest#loginWithHotpSuccess

Keycloak CI - Forms IT (chrome)

java.lang.IllegalStateException: Could not start mail server smtp:localhost:3025, try to set server startup timeout > 2000 via ServerSetup.setServerStartupTimeout(timeoutInMs) or -Dgreenmail.startup.timeout
	at com.icegreen.greenmail.util.GreenMail.start(GreenMail.java:118)
	at org.keycloak.testsuite.util.GreenMailRule.before(GreenMailRule.java:54)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:50)
	at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:273)
...

Report flaky test

org.keycloak.testsuite.forms.LoginHotpTest#loginWithHotpFailure

Keycloak CI - Forms IT (chrome)

java.lang.IllegalStateException: Could not start mail server smtp:localhost:3025, try to set server startup timeout > 2000 via ServerSetup.setServerStartupTimeout(timeoutInMs) or -Dgreenmail.startup.timeout
	at com.icegreen.greenmail.util.GreenMail.start(GreenMail.java:118)
	at org.keycloak.testsuite.util.GreenMailRule.before(GreenMailRule.java:54)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:50)
	at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:273)
...

Report flaky test

org.keycloak.testsuite.forms.LoginHotpTest#loginWithHotpInvalidPassword

Keycloak CI - Forms IT (chrome)

java.lang.IllegalStateException: Could not start mail server smtp:localhost:3025, try to set server startup timeout > 2000 via ServerSetup.setServerStartupTimeout(timeoutInMs) or -Dgreenmail.startup.timeout
	at com.icegreen.greenmail.util.GreenMail.start(GreenMail.java:118)
	at org.keycloak.testsuite.util.GreenMailRule.before(GreenMailRule.java:54)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:50)
	at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:273)
...

Report flaky test

org.keycloak.testsuite.forms.LoginHotpTest#loginWithMissingHotp

Keycloak CI - Forms IT (chrome)

java.lang.IllegalStateException: Could not start mail server smtp:localhost:3025, try to set server startup timeout > 2000 via ServerSetup.setServerStartupTimeout(timeoutInMs) or -Dgreenmail.startup.timeout
	at com.icegreen.greenmail.util.GreenMail.start(GreenMail.java:118)
	at org.keycloak.testsuite.util.GreenMailRule.before(GreenMailRule.java:54)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:50)
	at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:273)
...

Report flaky test

@vramik Applied your suggestions.

@vramik It is rebased already. I'll check now the behavior with your latest changes.

Today I tried Keycloak 25.0.6 but when I try to add user to a second Organization gave a error than the user only can have 1 Organization, is that ok ?

@jaeaxt This was merged into main so will be available in the next major release of Keycloak which is Keycloak 26.

Hey Folks 👋 Great work with orgs so-far. I've just tried out the latest nightly build via

docker run --name kc-orgs -d -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8080:8080 quay.io/keycloak/keycloak:nightly start-dev --features organization

, created 2 orgs foo/foo.com and bar/bar.com, and added a user baz/[email protected] as member in both orgs.

Now I wanted to login using the new identity first - flow and just "baz".

My expectation was that I could somehow "choose" for which org I want to log in.
Instead, the bar.com password/IdP page was shown.

Now I am a bit unsure how, with this PR, it'd be possible to login my [email protected] user under the context of the foo org. It'd be awesome if you had any hints, couldn't find an issue so-far and thought I'd ask here first :)

@DGuhr I just tested here and I see what you mean - if the user has an e-mail that matches one of the orgs, we're being a bit too opinionated towards the IDP selection. In this case, we're narrowing the IDP choices based on the e-mail that matched.

@pedroigor we need to discuss how to make this a little less opinionated - if user belongs to more than 1 org, then if none of the orgs has an idp that automatically redirects based on e-mail, we prob should be assembling the IDP list in a way that all orgs the user belongs too are represented (provided they have public IDPs, that is).

If you think about it, even with no public IDPs, if the user is a member of multiple orgs then perhaps a better option would be not to select the IDP itself, but the org he wants to sign in to. Then we redirect to the org IDP, which doesn't even have to be public.

If you think about it, even with no public IDPs, if the user is a member of multiple orgs then perhaps a better option would be not to select the IDP itself, but the org he wants to sign in to. Then we redirect to the org IDP, which doesn't even have to be public.

Hi @sguilhen and @pedroigor.
Sorry for commenting on this closed PR, however I was not able to find any issue or documentation around this. Is this already implemented, or is there a separate issue somewhere on allowing a user to select a org if member of multiple?

Would this also set which organization the user is "primarily acting on behalf of"? Eg. if you have a consultant or similar working on the behalf of multiple of your clients (but always only on one at a time)?

Hey @Anderen2, no problem. Sometimes I find myself doing the same ... Not ideal because comments usually get lost.

There is support for allowing users to select an organization when they are a member of multiple ones. The part of the documentation covering this capability is here [1].

Basically, whenever you send the organization scope, if the user has multiple organizations, he will be prompted to select one. After doing so, the authentication will happen in the context of that organization so that any IdP associated with the organization is considered (including automatic redirect), and the token will have the organization claim mapping to the selected organization.

Is this what you are looking for?

[1] https://www.keycloak.org/docs/latest/server_admin/#_mapping_organization_claims_