Hi,
we encountered a bug, that appears very sporadically and is very hard to debug. When we implemented it locally, there was no problem. Even when deployed to another environment, there was no problem at all at first. The exception is thrown very rarely. We use a mapper in a user federation connection. In detail we have a LDAP sync which reads out users and their roles and transfer it to another domain. The user federation sync is triggered manually via the Keycloak UI. The version of our Keycloak is 19.0.1.
The stack trace:
[org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-15184) Uncaught server error: java.lang.IllegalStateException: Cannot access delegate without a transaction
at org.keycloak.models.cache.infinispan.RealmCacheSession.getRoleDelegate(RealmCacheSession.java:169)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getRoleById(RealmCacheSession.java:830)
at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:733)
....
at org.keycloak.models.cache.infinispan.UserAdapter.getRoleMappingsStream(UserAdapter.java:378)
at custommapper.keycloak.repositories.UserRepository.getUserWithRoles(UserRepository.java:34)
at custommapper.keycloak.transactions.UserChangedTransaction.commitImpl(UserChangedTransaction.java:33)
....
The custom mapper is executed when a user is imported from LDAP via the onImportUserFromLDAP from the AbstractLDAPStorageMapper. The code is wrapped with a UserChangedTransaction extended from AbstractKeycloakTransaction.
It seems like there might be a race condition in some rare situations. When the error happens, it happens all the time. The next day the error might not appear at all. It is a strange behavior. Due to the process of importing users from LDAP, there is opened a transaction for every single user. Is it possible that there might be an open transaction while the next user is imported? Or what is causing this exception?
What else is possible to prevent this exception in our case?