Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

The user attributes are fetched differently when executing searches and fetching users by their identifiers.

When running a search, the external user storage provider is called and eventually returns a UserModel that fetches the user attributes from their storage.

However, when querying users by their identifiers where the user is already cached the user attributes will have their values fetched from the cache, which can be different than the value from the external user storage. This is especially true when the user storage provider is updated directly without necessarily going through the server.

This issue is mainly impacting the LDAP user storage provider, for now. But it should apply to any other user storage provider (including custom ones). The LDAP mappers that support the setting Always read value from LDAP will not work as expected because values won't be (always) read from LDAP if the user is already cached.

Version

26.0.0

Regression

• The issue is a regression

Expected behavior

The user attribute values are the same when fetching users using a search and when querying by their identifier.

Actual behavior

The user attribute values are not the same when fetching users using a search and when querying by their identifier.

How to Reproduce?

• Create an LDAP provider and make sure the mapper corresponding to the firstName has the Always read value from LDAP enabled
• Import a user from LDAP
• Change the value of the firstName attribute in LDAP
• Go to Users to list all realm users and see the firstName attribute set with the value from LDAP
• Try to edit the user and see the firstName attribute with a different value

Anything else?

See #34954 (comment).