Hi all,
I’m developing a custom Keycloak EventListener SPI to handle the case when a user’s group membership changes, typically due to an LDAP sync (group mapping from LDAP to Keycloak).
My goal is:
- When a user is added to or removed from a group (
GROUP_MEMBERSHIPwithCREATEorDELETE), - I want to:
- Revoke all active sessions of that user,
- Then apply custom group-to-group mapping logic.
The problem I’m facing is:
Although I can extract the userId from adminEvent.getResourcePath() (e.g., users/{userId}/groups/...), and the ID looks correct, session.users().getUserById(realm, userId) returns null.
Here’s the relevant part of my code:
String userId = extractUserId(adminEvent.getResourcePath()); // returns UUID
UserModel user = session.users().getUserById(realm, userId); // returns null
realmis correctly retrieved fromsession.realms().getRealm(realmId)userIdstring seems valid (looks like a UUID)- But
UserModelis alwaysnull, so I can’t revoke their sessions
Has anyone encountered this when working with admin events triggered by LDAP sync?
Is there a special context or timing issue where the user isn’t yet resolvable in the session?
Ultimately, I want this SPI to handle LDAP group sync changes and ensure that:
- User sessions are revoked if group mapping changes
- I can enforce a Rule-Based Group mapping mechanism
Thanks in advance for any help or insights!
