SMTP credentials are overwritten when a different attribute is set on realm level

[dmpv-cyber]

Describe the bug

1. Create a new realm with SMTP credentials defined.
2. Try to send an email, it works.
3. Then, create a new custom authentication flow and bind it with the resetCredentialsFlow, for example.
4. Deploy it with pulumi up.
5. If you try now to send an email it will fail because the SMTP credentials were overwritten.

Version

26.2.2, 5.2.0 terraform-provider-keycloak

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

Create a new realm via terraform with the smtp_server attribute defined:

resource "keycloak_realm" "test" {
  realm             = "test"
  enabled           = true
  display_name      = "Test"
  smtp_server {
    host = "host.com"
    from = "no-reply@terraform.keycloak.com"
    ssl = true
    from_display_name = "test"
    auth {
      username = "username"
      password = "password"
    }
  }
}

Deploy it, and test the email sending, it should work.

Then, create a new custom authentication flow and bind it with the resetCredentialsFlow, for example:

resource "keycloak_authentication_flow" "test_reset_flow" {
  alias       = "resetCredentialsCopy"
  realm_id    = keycloak_realm.test.id
  description = "browser based authentication"
}
resource "keycloak_authentication_bindings" "test_flow_binding" {
  realm_id     = keycloak_realm.test.id
  reset_credentials_flow = keycloak_authentication_flow.test_reset_flow.alias
}

If you try now to send an email it will fail because the SMTP credentials were overwritten.

Anything else?

This only started to happen after we are upgraded to keycloak version 26.2.0.
On that version they added Token based authentication for SMTP https://www.keycloak.org/docs/latest/release_notes/index.html#token-based-authentication-for-smtp-xoauth2
Maybe it's related with this starting now to fail.

I noticed also another thing on the Admin events on the troublesome realm, on the update realm event the realm representation init has different attributes, on the smtpServer attribute, depending if it was updated via the admin console or via terraform, here is an example of the smtpServer attribute on those realm representations:

• Update via terraform:

 "smtpServer": {
    "auth": "true",
    "host": "host.com",
    "from": "no-reply@terraform.keycloak.com",
    "fromDisplayName": "test",
    "ssl": "true",
    "user": "username",
    "password": "**********"
  },

• Update via admin console:

"smtpServer": {
    "password": "**********",
    "auth": "true",
    "host": "host.com",
    "from": "no-reply@terraform.keycloak.com",
    "fromDisplayName": "test",
    "ssl": "true",
    "user": "username",
    "replyTo": "",
    "replyToDisplayName": "",
    "envelopeFrom": "",
    "starttls": "false",
    "authType": "basic",
    "debug": "false"
  },

[lucdew]

I faced the same issue but I think it is related to the fact that the authType is not set (to basic for password authentication) by the provider.

I could reproduce doing so:

1. Set the smtp settings on the realm via the terraform provider.
2. Test the connection and make sure it is successful
3. Update any setting of the realm via the admin console.
4. Test the connection it should fail due to an invalid credentials

I had a look at the data posted by the admin console and I noticed that the authType is not set.

If you manually update the authType in the console to token , save, revert to password and save. The issue disappears and you can see that the console send the authType:"basic" in the smtpServer realm representation if you update a realm property.