Problem statement

While Keycloak uses current internal attributes that are sometimes single-value, there has been a decision to make all attribute-containing map storage entities multi-valued, please see: https://issues.redhat.com/browse/KEYCLOAK-15572.

The current code selects the first entry if there is one or multiple entries in MapClientAdapter via entry.getValue().get(0).

    @Override
    public Map<String, String> getAttributes() {
        final Map<String, List<String>> attributes = entity.getAttributes();
        final Map<String, List<String>> a = attributes == null ? Collections.emptyMap() : attributes;
        return a.entrySet().stream().collect(Collectors.toMap(Map.Entry::getKey,
            entry -> {
                if (entry.getValue().isEmpty()) return null;
                return entry.getValue().get(0);
            })
        );
    }

This could lead to problems when someone reads a client and doesn't see the additional values for an attribute.
The missing data might have a security implication.

This could occur in the following ways:

• During a development iteration to introduce multi-valued attributes in Keycloak core this code pass is missed, therefore hiding the additional values to the caller.
• A database inconsistency with multiple values - as the store supports multiple values there are no constraints on the store level.
• In a concurrent no-downtime-upgrade with a different version of Keyloak run concurrently, and the newer version inserts multiple values

Approach

Apply a defensive programming style to throw an exception in this unsupported case of multiple attribute values and throw a runtime exception. Suggested exception type: ModelException.

Benefits

Ensuring that only consistent data is presented to the caller, and subsequent saving of incomplete data is prevented.

Alternatives

Leave it "as is".

For future cases, apply YAGNI and reduce complexity of the solution buy not adding features that are not needed at the moment.