Creation of a custom first broker login flow and binding it fails

[youribonnaffe]

Current Behavior

I'm trying to define a custom first broker login flow in a realm and bind it to be the default first broker login flow.

keycloak-config-cli fails to execute because it tries to update the realm before creating the flow.

Expected Behavior

Flow should be imported first, then the realm's default flow updated.

Steps To Reproduce

With a configuration similar to (an extract):

{
  "firstBrokerLoginFlow": "first broker login-sso-only",
  "authenticationFlows": [
    {
      "alias": "first broker login-sso-only",
      "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
      "providerId": "basic-flow",
      "topLevel": true,
      "builtIn": false,
      "authenticationExecutions": [
        {
          "authenticatorConfig": "first broker login-sso-only create unique user config",
          "authenticator": "idp-create-user-if-unique",
          "authenticatorFlow": false,
          "requirement": "ALTERNATIVE",
          "priority": 20,
          "autheticatorFlow": false,
          "userSetupAllowed": false
        },
        {
          "authenticator": "idp-auto-link",
          "authenticatorFlow": false,
          "requirement": "ALTERNATIVE",
          "priority": 60,
          "autheticatorFlow": false,
          "userSetupAllowed": false
        }
      ]
    }
  ]
}

This fails with:

2026-03-24 21:38:31.984error2026-03-24T21:38:31.984Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Error Response: jakarta.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
2026-03-24 21:38:31.984Caused by: jakarta.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:250)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.DefaultEntityExtractorFactory$3.extractEntity(DefaultEntityExtractorFactory.java:41)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:136)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:103)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:102)
	at jdk.proxy2/jdk.proxy2.$Proxy88.update(Unknown Source)
	at de.adorsys.keycloak.config.repository.RealmRepository.update(RealmRepository.java:118)
	... 29 common frames omitted
2026-03-24 21:38:31.984de.adorsys.keycloak.config.exception.KeycloakRepositoryException: Cannot update realm 'hems.dev': HTTP 500 Internal Server Error{"errorMessage":"Failed to update realm"}
	at de.adorsys.keycloak.config.repository.RealmRepository.update(RealmRepository.java:125)
	at de.adorsys.keycloak.config.service.RealmImportService.updateRealm(RealmImportService.java:216)
	at de.adorsys.keycloak.config.service.RealmImportService.updateRealmIfNecessary(RealmImportService.java:171)
	at de.adorsys.keycloak.config.service.RealmImportService.doImport(RealmImportService.java:162)
	at de.adorsys.keycloak.config.KeycloakConfigRunner.run(KeycloakConfigRunner.java:89)
	at org.springframework.boot.SpringApplication.lambda$callRunner$5(SpringApplication.java:789)
	at org.springframework.util.function.ThrowingConsumer$1.acceptWithException(ThrowingConsumer.java:82)
	at org.springframework.util.function.ThrowingConsumer.accept(ThrowingConsumer.java:60)
	at org.springframework.util.function.ThrowingConsumer$1.accept(ThrowingConsumer.java:86)
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:797)
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:788)
	at org.springframework.boot.SpringApplication.lambda$callRunners$3(SpringApplication.java:773)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(Unknown Source)
	at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
	at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(Unknown Source)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline.forEach(Unknown Source)
	at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:773)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:325)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1362)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1351)
	at de.adorsys.keycloak.config.KeycloakConfigApplication.main(KeycloakConfigApplication.java:34)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102)
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
	at org.springframework.boot.loader.launch.PropertiesLauncher.main(PropertiesLauncher.java:580)
2026-03-24 21:38:31.984error2026-03-24T21:38:31.982Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Error during Keycloak import: Cannot update realm 'hems.dev': HTTP 500 Internal Server Error{"errorMessage":"Failed to update realm"}
2026-03-24 21:38:31.9652026-03-24 21:38:31,964 ERROR [org.keycloak.services.resources.admin.RealmAdminResource] (executor-thread-70) Cannot invoke "org.keycloak.models.AuthenticationFlowModel.getId()" because "flow" is null: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.AuthenticationFlowModel.getId()" because "flow" is null
	at org.keycloak.models.jpa.RealmAdapter.setFirstBrokerLoginFlow(RealmAdapter.java:1541)
	at org.keycloak.models.cache.infinispan.RealmAdapter.setFirstBrokerLoginFlow(RealmAdapter.java:1372)
	at org.keycloak.storage.datastore.DefaultExportImportManager.updateRealm(DefaultExportImportManager.java:970)
	at org.keycloak.models.utils.RepresentationToModel.updateRealm(RepresentationToModel.java:277)
	at org.keycloak.services.resources.admin.RealmAdminResource.updateRealm(RealmAdminResource.java:515)
	at org.keycloak.services.resources.admin.RealmAdminResource$quarkusrestinvoker$updateRealm_d86d1f4d71b6764444fb78d4ff635eb2879125e7.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:183)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$15.runWith(VertxCoreRecorder.java:645)
	at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2651)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2630)
	at org.jboss.threads.EnhancedQueueExecutor.runThreadBody(EnhancedQueueExecutor.java:1622)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1589)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Deployment Method

Helm / Kubernetes

Environment

• Keycloak Version: 26.5.3
• keycloak-config-cli Version: 6.5.0
• Java Version: 21

Relevant configuration (sanitized)

Logs / error output

Anything else?

No response

[youribonnaffe]

Looking quickly at the code, maybe

keycloak-config-cli/src/main/java/de/adorsys/keycloak/config/service/RealmImportService.java

Line 44 in 482ace0

static final String[] ignoredPropertiesForRealmImport = new String[]{

should ignore the firstBrokerLoginFlow realm property and

keycloak-config-cli/src/main/java/de/adorsys/keycloak/config/service/AuthenticationFlowsImportService.java

Line 118 in 482ace0

private void setupFlowsInRealm(RealmImport realmImport) {

take care of updating the property in the realm instead.

[Nkwenti-Severian-Ndongtsop]

Hey @youribonnaffe
Thanks for reporting this bug.
We will have a look at it and get back to you