Adding roles to Service Account user allows to update user by serviceAccountClientId but is not working correctly

[Sebastian-Gil-wcq]

Current Behavior

We are provisioning clients with service accounts. Some of them use client roles binded with service user. The most convenient way to provision such client roles is to use serviceAccountClientId since it is a part of the provisioned change. The operation is successful, but strange things happens. Service accounts users get roles from a wrong client, or they don't get role assigned at all. The solution is to add the username to each entry in the users collection. However, now we have to use a generated username with prefix 'service-account-'. In case Keycloak changes that behaviour and stops prefixing service users with 'service-account-' there will be no way to "guess" that auto-generated name. To summarise I see two issues here:

1. I'm allowed to create a user using serviceAccountClientId, but this is not working correctly
2. In fact I'm not able to use serviceAccountClientId which seems to be the most convenient thing to do when I provision a client with service account.

Expected Behavior

When I update service account user using serviceAccountClientId I want roles to be correctly applied to the user.

Steps To Reproduce

Sample config

realm: test
clients:
  - clientId: api-event-mgmt
    description: desc
    enabled: true
    clientAuthenticatorType: client-secret
    secret: secret
    standardFlowEnabled: true
    implicitFlowEnabled: false
    directAccessGrantsEnabled: true
    serviceAccountsEnabled: true
    publicClient: false
    frontchannelLogout: true
    protocol: openid-connect
    attributes:
      oidc.ciba.grant.enabled: 'false'
      backchannel.logout.session.required: 'true'
      display.on.consent.screen: 'false'
      oauth2.device.authorization.grant.enabled: 'false'
      backchannel.logout.revoke.offline.tokens: 'false'
    fullScopeAllowed: true
    authorizationServicesEnabled: false
  - clientId: api-event-mgmt
    description: desc
    enabled: true
    clientAuthenticatorType: client-secret
    secret: secret
    standardFlowEnabled: true
    implicitFlowEnabled: false
    directAccessGrantsEnabled: true
    serviceAccountsEnabled: true
    publicClient: false
    frontchannelLogout: true
    protocol: openid-connect
    attributes:
      oidc.ciba.grant.enabled: 'false'
      backchannel.logout.session.required: 'true'
      display.on.consent.screen: 'false'
      oauth2.device.authorization.grant.enabled: 'false'
      backchannel.logout.revoke.offline.tokens: 'false'
    fullScopeAllowed: true
    authorizationServicesEnabled: false
users:
  - serviceAccountClientId: api-client-mgmt
    realmRoles: [ ]
    clientRoles:
      realm-management:
        - view-realm
        - manage-users
        - query-clients
        - manage-clients
  - serviceAccountClientId: api-event-mgmt
    realmRoles: [ ]
    clientRoles:
      realm-management:
        - view-events
        - manage-events

### Environment

- Keycloak Version: 24.0.2
- keycloak-config-cli Version: Docker image: adorsys/keycloak-config-cli:latest
[5.12.0-24.0.1](https://hub.docker.com/layers/adorsys/keycloak-config-cli/5.12.0-24.0.1/images/sha256-e9ec13c190a6adfd706b1d8a5c71d5434c4766d066259b14b05c3361c04d77c9?context=explore)
- Java Version: 17
 


### Anything else?

_No response_

[blanser-cc]

Just wanted to add that we have exactly the same issue with one of our customers.