With #623 support for a new userLabel "initial" was added which prevents the credentials from being set if the user already exists. However, it can trigger a false update when only the password has changed.

This behavior can currently be seen in the ImportUsersIT.shouldUpdateRealmWithChangedClientUserPassword test. During the doImport call on line 189, the UserImportService will attempt to update the myinitialclientuser and this code will correctly add an empty list to the JSON:

            if (patchedUser.getCredentials() != null) {
                // do not override password, if userLabel is set "initial"
                List<CredentialRepresentation> userCredentials = patchedUser.getCredentials().stream()
                        .filter(credentialRepresentation -> !Objects.equals(
                                credentialRepresentation.getUserLabel(), USER_LABEL_FOR_INITIAL_CREDENTIAL
                        ))
                        .collect(Collectors.toList());
                patchedUser.setCredentials(userCredentials);
            }

However, the next condition will be true, and the service will try to update the user with keycloak:

            if (!CloneUtil.deepEquals(existingUser, patchedUser, "access")) {
                logger.debug("Update user '{}' in realm '{}'", userToImport.getUsername(), realmName);
                userRepository.updateUser(realmName, patchedUser);

But nothing has changed! The call to CloneUtil.deepEquals is returning true in this case but it should not.

This is a problem for those of us who want to use this feature to workaround the invalidpasswordhistorymessage issue where Keycloak won't accept keycloak-config-cli's update when there is a "Not Recently Used" password policy in place because it triggers an unnecessary update to the user which will fail.