From 4dd991bc308257a75f3b6be1d8e304645782949f Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Fri, 2 Jan 2026 17:42:03 -0300
Subject: [PATCH] portal: fix keycloak admin user lookup

---
 backend/atlas_portal/keycloak.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/backend/atlas_portal/keycloak.py b/backend/atlas_portal/keycloak.py
index 64f9b8b..970f009 100644
--- a/backend/atlas_portal/keycloak.py
+++ b/backend/atlas_portal/keycloak.py
@@ -94,7 +94,9 @@ class KeycloakAdminClient:
 
     def find_user(self, username: str) -> dict[str, Any] | None:
         url = f"{settings.KEYCLOAK_ADMIN_URL}/admin/realms/{settings.KEYCLOAK_REALM}/users"
-        params = {"username": username, "exact": "true"}
+        # Keycloak 26.x in our environment intermittently 400s on filtered user queries unless `max` is set.
+        # Use `max=1` and exact username match to keep admin calls reliable for portal provisioning.
+        params = {"username": username, "exact": "true", "max": "1"}
         with httpx.Client(timeout=settings.HTTP_CHECK_TIMEOUT_SEC) as client:
             resp = client.get(url, params=params, headers=self._headers())
             resp.raise_for_status()