Open
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
infinispan
Describe the bug
When updating a client scope in the the security-admin-console (the client of the Admin UI) via the Admin UI in the master realm, and persistent sessions are disabled, an exception is thrown and an errors shows in the UI.
Version
main
Regression
- The issue is a regression
Expected behavior
I can change the security admin UI in the master realm when I am logged in to the master realm
Actual behavior
An exception is thrown. When the change that I triggered was updating a client scope from optional to default, the client scope is gone.
2025-07-07 20:50:59,481 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-1) Uncaught server error: java.lang.IllegalStateException: Cannot access delegate without a transaction
at org.keycloak.models.cache.infinispan.RealmCacheSession.getClientDelegate(RealmCacheSession.java:197)
at org.keycloak.models.cache.infinispan.ClientAdapter.isUpdated(ClientAdapter.java:69)
at org.keycloak.models.cache.infinispan.ClientAdapter.getAttribute(ClientAdapter.java:300)
at org.keycloak.models.utils.SessionExpirationUtils.getClientAttributeTimeout(SessionExpirationUtils.java:206)
at org.keycloak.models.utils.SessionExpirationUtils.calculateClientSessionMaxLifespanTimestamp(SessionExpirationUtils.java:116)
at org.keycloak.models.sessions.infinispan.util.SessionTimeouts.getClientSessionLifespanMs(SessionTimeouts.java:108)
at org.keycloak.models.sessions.infinispan.util.SessionTimeouts.getClientSessionLifespanMs(SessionTimeouts.java:104)
at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.commitImpl(InfinispanChangelogBasedTransaction.java:167)
at org.keycloak.models.AbstractKeycloakTransaction.commit(AbstractKeycloakTransaction.java:46)
at org.keycloak.services.DefaultKeycloakTransactionManager.lambda$commitWithTracing$1(DefaultKeycloakTransactionManager.java:170)
at org.keycloak.tracing.NoopTracingProvider.trace(NoopTracingProvider.java:59)
at org.keycloak.tracing.NoopTracingProvider.trace(NoopTracingProvider.java:69)
at org.keycloak.services.DefaultKeycloakTransactionManager.commitWithTracing(DefaultKeycloakTransactionManager.java:169)
at org.keycloak.services.DefaultKeycloakTransactionManager.lambda$commit$0(DefaultKeycloakTransactionManager.java:146)
at org.keycloak.tracing.NoopTracingProvider.trace(NoopTracingProvider.java:59)
at org.keycloak.tracing.NoopTracingProvider.trace(NoopTracingProvider.java:69)
at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:121)
at org.keycloak.services.DefaultKeycloakSession.closeTransactionManager(DefaultKeycloakSession.java:392)
at org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:357)
at org.keycloak.models.KeycloakBeanProducer_ProducerMethod_getKeycloakSession_XoSEUTXOsE3bpqXlGMAykCiECUM_ClientProxy.close(Unknown Source)
How to Reproduce?
- Start Keycloak with persistent sessions disabled and an empty database
- Login as the admin user
- Select "Clients" -> "security-admin-console" -> "Client Scopes"
- Switch scope "offline" from "Optional" to "Default -> an exception is thrown in the backend, and the client scope is gone
Anything else?
Maybe the lifetimes could be retrieved eagerly while the transaction is not yet committing.