Skip to content

Handle orphan authenticator providers in flows#48372

Open
erenkan wants to merge 1 commit intokeycloak:mainfrom
erenkan:orphan-authenticator-executions
Open

Handle orphan authenticator providers in flows#48372
erenkan wants to merge 1 commit intokeycloak:mainfrom
erenkan:orphan-authenticator-executions

Conversation

@erenkan
Copy link
Copy Markdown
Contributor

@erenkan erenkan commented Apr 22, 2026
edited
Loading

Closes #15535

Problem

An authentication flow execution stores only its provider id string. If the referenced SPI is uninstalled, renamed, or fails to register, GET /admin/realms/{realm}/authentication/flows/{alias}/executions throws NotFoundException("Could not find authenticator provider"). The 404 propagates to the Admin UI's global error boundary and the entire flow page crashes — admins cannot delete the orphan execution, reorder siblings, or edit anything else in the flow.

Screen.Recording.2026-04-22.at.17.22.08.mov

@erenkan erenkan requested review from a team as code owners April 22, 2026 14:28
@erenkan
Handle orphan authenticator providers in flows
7125f1e 
The admin REST endpoint that lists flow executions threw NotFoundException
when an execution referenced a provider id with no registered factory (SPI
uninstalled/renamed/failed to register). The Admin UI propagated the 404
to its global error boundary, making the whole flow page uneditable — the
admin could not delete the orphan execution or manage the rest of the flow.

Backend: populate a placeholder AuthenticationExecutionInfoRepresentation
with providerUnavailable=true when the factory lookup returns null, so
listing keeps working. AuthenticationExecutionInfoRepresentation gains an
optional providerUnavailable Boolean.

Admin UI: FlowTitle shows a red "Provider unavailable" badge, FlowRow
hides the gear icon, and cross-flow drag is rejected up-front (including
when an orphan is nested inside a sub-flow being moved) so the delete +
re-create sequence never silently drops the row. Same-flow reorder and
delete remain functional.

Closes keycloak#15535

Signed-off-by: erenkan <[email protected]>
@erenkan erenkan force-pushed the orphan-authenticator-executions branch from 0dca0fc to 7125f1e Compare April 22, 2026 14:46
@erenkan
Copy link
Copy Markdown
Contributor Author

erenkan commented Apr 22, 2026

Quick question for maintainers on the copyright header of the new test file OrphanExecutionTest.java:

I removed the Copyright YYYY Red Hat, Inc. and/or its affiliates line and kept only the Apache 2.0 license boilerplate, since:

  • Keycloak uses Apache 2.0 + DCO; copyright stays with the contributor, not assigned to the project.
  • ASF's own policy recommends no per-file copyright notices; attribution goes in a project-level NOTICE file.
  • As an external contributor I can't legally speak on Red Hat's behalf, but writing my own company name would deviate from the convention every other file in the package follows.

What's your preference?

  1. Leave it as-is (no copyright line, Apache 2.0 header only)
  2. Add Copyright 2026 Red Hat, Inc. and/or its affiliates to match project convention
  3. Add my own (Copyright 2026 Keymate Inc. / my name)

Happy to push whichever you prefer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fail more gracefully when AuthenticatorProvider is missing

1 participant

@erenkan