Application Initiated Actions - Case Sensitivity?

Getting advice
1

Hello together,

we’re using Keycloak running in Docker (bitnami/keycloak to be exact) to authenticate users. Using the application initiated actions (AIA) we want to let users update their password, delete their account, etc. Additionally, we also use a custom UPDATE_PROFILE to require users to reauthenticate before changing their profile (see: Require Reauthentication for Update Profile). This works quite nicely, however we’ve encountered a weird edge case: The kc_action needs to be in an exact case for our AIA to work. For instance ‘kc_action=delete_account’ works, but ‘kc_action=DELETE_ACCOUNT’ throws the following exception:
java.lang.NullPointerException: Cannot invoke "org.keycloak.authentication.RequiredActionProvider.getMaxAuthAge()" because "requiredActionProvider" is null.

However, for update profile and password, the case is reversed. It works for ‘kc_action=UPDATE_PASSWORD’ and ‘kc_action=UPDATE_PROFILE’, but using the lower-case spelling ‘kc_action=update_password’ or ‘kc_action=update_profile’ throws the same exception:
Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.authentication.RequiredActionProvider.getMaxAuthAge()" because "requiredActionProvider" is null.

Now to my question: Is this the correct behavior or is there some kind of setting that we did not set or set incorrectly?

2

That’s the result of different developers writing different code without having proper coding conventions and checks. Just like in any other regular project… :sweat_smile:
The proper value to use is always the value the getId() factory method returns.

3

Ah! So provider_id for delete_account is lower case (keycloak/services/src/main/java/org/keycloak/authentication/requiredactions/DeleteAccount.java at main · keycloak/keycloak · GitHub) but for the other required actions the Enum name is used, which is upper case (keycloak/server-spi/src/main/java/org/keycloak/models/UserModel.java at main · keycloak/keycloak · GitHub). Alright, then we have to be careful when building the AIA. Thank you very much for clearing that up!