Describe the bug

Hello,

When calling the GET /{realm}/users endpoint with the optional query parameters enabled and search specified, the enabled attribute has no effect.

All users matching the search query are returned, disregarding their enabled status.
When specifying the enabled query parameter without additional query parameters, the endpoint works as expected, returning users filtered according to their status.

It seems like this is a bug, because the parameters are neither interpreted as logical AND, nor as logical OR.

Ideally, the users would be filtered by both values, returning only users that match the search AND have the correct enabled value as specified.

Thanks a lot for your help!

EDIT:

I found the related API here: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L285

Looks like there is a special case defined when the search parameter is specified. Is this required, or can the enabled filter be used in this case as well?

Version

16.1.0

Expected behavior

Users are filtered with query parameters combined as logical AND

Actual behavior

enabled filter does not have any effect when search parameter is specified.

How to Reproduce?

• create 2 users in a realm with similar names
• enable one user and disable the other one
• create a search query that matches both users

curl --request GET 'localhost:8080/auth/admin/realms/test/users?enabled=false&search=matchbothusers' 

Both users will be returned, when actually only the user with enabled=false should be returned.

Anything else?

It would be nice to have the same functionality also for the /users/count endpoint
See: #9842