Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Plugin migrating users without password validation

See original GitHub issue

I am running the current commit of this plugin with the standard Dockerfile of keycloak 15.0.0 in it. I have run all previous commits for test as well.

Initially it all worked fine, and my users have been migrated only after my POST REST legacy endpoint returned 200 for a valid password.

Now, after no changes made, to the best of my knowledge, users are being migrated (although not logged in) without their passwords in case they submit a wrong password (GET returns 200, POST returns 401 for wrong password). Previously user was not migrated in this situation. Now it is, according to this log:

2021-08-23T22:49:49.521910840Z[0m[0m22:49:49,521 INFO [com.danielfrak.code.keycloak.providers.rest.remote.UserModelFactory] (default task-4) Creating user model for: matheusmansour

We can see my REST microservice has been called with POST status code different than 200, nonetheless:

2021-08-23T22:49:49.515833Z **GET200** 964 B39 msApache-HttpClient/4.5.13 (Java/11.0.12) https://facily-wp-user-migration-ch4ssh6qga-uc.a.run.app/auth/matheusmansour
Aviso
2021-08-23T22:49:49.579379Z **POST401** 719 B21 msApache-HttpClient/4.5.13 (Java/11.0.12) https://facily-wp-user-migration-ch4ssh6qga-uc.a.run.app/auth/matheusmansour

Any clue why this might be happening? Been stuck with it for 4 days with code breaking in production and had to turn the plugin off. Thanks very much for any help!!

Issue Analytics

State:
Created 2 years ago
Comments:9 (5 by maintainers)

Top GitHub Comments

1reaction

chucksellickcommented, Sep 8, 2021

After some further digging I found a fix that appears to work, although I am not sure of the further implications. Based on the LDAP provider built into Keycloak, I found there was some code checking if the user already exists in Keycloak before attempting to create it, whereas the legacy plugin just attempts to create the user every time we find by username or find by email; obviously the reset password flow is searching for the user twice and therefore trying to duplicate the record.

I updated the getUserModel in LegacyProvider.java as follows:

    private UserModel getUserModel(RealmModel realm, String username, Supplier<Optional<LegacyUser>> user) {
      // NOTE: This should be an additional delegate passed in, in my case i am only ever using email
      UserModel userModel = session.userLocalStorage().getUserByEmail(username, realm);
      if (userModel != null) {
          LOG.debugf("Authenticated user [%s] found in Keycloak storage", username);
          return userModel;
      }

      return user.get()
              .map(u -> userModelFactory.create(u, realm))
              .orElseGet(() -> {
                  LOG.warnf("User not found in external repository: %s", username);
                  return null;
              });
    }

I am not submitting this as a PR right now because this breaks a number of tests and I am not the most familiar with Java testing frameworks and frankly, having been battling with this whole setup for several weeks now, I am a bit burnt out on this. Hopefully someone else can take this and make this into a workable PR.

1reaction

chucksellickcommented, Sep 7, 2021

I am getting the same problem with forgotten password behaviour, it seems like UserModelFactory::create ends up being called twice and this throws a duplicate record error. This issue is a showstopper for us, we can’t migrate users without the ability for users to recover a lost password, as is always the case many users will not have their correct password. Would really love some further input on this, but right now it seems like maybe it’s a bug in Keycloak’s user federation and how that interacts with plugins?