Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fix serialisation of UserStorageProvider config

See original GitHub issue

I’m afraid this is not yet finally fixed with 19.0.2 and should be re-opened (or should I create a new issue for it?).

While the dynamic fields are now properly rendered and filled with data, it’s not possible to edit and submit data to the server. There is an exception thrown:

2022-09-14 10:57:28,941 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-5) Uncaught server error: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of `java.util.ArrayList` (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('https://kze2nq1l79.execute-api.eu-central-1.amazonaws.com/peanuts')
kcd_kc    |  at [Source: (io.quarkus.vertx.http.runtime.VertxInputStream); line: 1, column: 74] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["peanutsBaseUrl"])
kcd_kc    | 	at com.fasterxml.jackson.databind.exc.MismatchedInputException.from(MismatchedInputException.java:63)
kcd_kc    | 	at com.fasterxml.jackson.databind.DeserializationContext.reportInputMismatch(DeserializationContext.java:1728)
kcd_kc    | 	at com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1353)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._deserializeFromString(StdDeserializer.java:311)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:284)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:192)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:182)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:25)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:609)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:437)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:32)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:129)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:313)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:176)
kcd_kc    | 	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
kcd_kc    | 	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2025)
kcd_kc    | 	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1175)
...

When comparing the payload which is sent from the UI to the server between old and new UI, I get the following:

Old UI:

{
    "name": "peanuts",
    "providerId": "peanuts-user-provider",
    "providerType": "org.keycloak.storage.UserStorageProvider",
    "parentId": "demo",
    "config": {
        "enabled": [
            "true"
        ],
        "cachePolicy": [
            "DEFAULT"
        ],
        "peanutsBaseUrl": [
            "https://someid.execute-api.eu-central-1.amazonaws.com/peanuts"
        ],
        "peanutsAuthUsername": [
            "peanuts"
        ],
        "peanutsAuthPassword": [
            "s3cr3t"
        ]
    }
}

New UI:

{
    "name": "peanuts",
    "config": {
        "peanutsBaseUrl": "https://someid.execute-api.eu-central-1.amazonaws.com/peanuts",
        "peanutsAuthUsername": "peanuts",
        "peanutsAuthPassword": "s3cr3t",
        "enabled": [
            "true"
        ],
        "cachePolicy": [
            "DEFAULT"
        ]
    },
    "providerId": "peanuts-user-provider",
    "providerType": "org.keycloak.storage.UserStorageProvider",
    "parentId": "demo"
}

So, the custom properties (in the example starting with “peanuts…”, must be submitted as a string array, not a pure string. Please check this also for all other types, not only for strings.

Thanks.

_Originally posted by @dasniko in https://github.com/keycloak/keycloak-ui/issues/2989#issuecomment-1246611796_

Issue Analytics

State:
Created a year ago
Comments:12 (5 by maintainers)

Top GitHub Comments

3reactions

ssilvertcommented, Oct 12, 2022

@Neeya123 Version 20.0.0 should be out in 1 to 2 weeks.

2reactions

jonkoopscommented, Sep 15, 2022

We don’t give timelines for fixes, we’ll get to it when we can. That said, this seems high prio so I expect it would get picked up soon.

Top Results From Across the Web

[keycloak-user] Exception with User Storage SPI priority configuration

I see a similar exception, but this time JSON deserialization failures > with the field "config" ... Creating the User-Storage Provider works w/o...

JDK approach to address deserialization vulnerability - Red Hat

The configuration scenario for a custom filter occurs when a deserialization requirement is different from any other deserialization process ...

Deserialization risks in use of BinaryFormatter and related types

Learn about security vulnerabilities of BinaryFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter, and ObjectStateFormatter.

Server Developer Guide - Keycloak

Theme types; Configuring a theme; Default themes ... User Storage SPI ... Configuration example; Configuring the provider in the Admin ...

Deserialization should not be vulnerable to injection attacks

Quick Fix 43 ... A new session should be created during user authentication ... Using unsafe Jackson deserialization configuration is security-sensitive.