Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interesting issue regarding group required extension #19

Open
toddas opened this issue Jan 21, 2021 · 3 comments
Open

Interesting issue regarding group required extension #19

toddas opened this issue Jan 21, 2021 · 3 comments

Comments

@toddas
Copy link

toddas commented Jan 21, 2021

Hi after I set up my required group it lets me log in without the group anyway. I am getting this warning WARN [org.keycloak.events] (default task-1163) type=LOGIN_ERROR, realmId=realmname, clientId=clientid, userId=null, ipAddress=localipadress, error=rejected_by_user, auth_method=saml, redirect_uri=realm/sso/auth/samlp, code_id=560cd383-5c91-497b-89e1-213516516, username=myusername, authSessionParentId=213213132-5c91-497b-89e1-4dfd11a0c332, authSessionTabId=1321321321

Please help I am using this flow:
image

Thank you in advance I am using 10.0.1 in standalone mode
@NikMashei
Copy link

@toddas
Maybe your problem refers to this error in flow? Did you to try put 'Require Group' on different level?

@jsalatiel
Copy link

@toddas I use a different flow.

image

Although I can see the expected behaviour when users not in "test" group can not login, I do not like that I do not see in the debug logs the message I expect reading the source code. The message I expect in logs is:

image

But this is what I get: ( similar to yours )

23:35:55,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) action: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator SUCCESS: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) processFlow: test forms
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) execution 'auth-username-password-form' is processed
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'require-group', requirement: 'REQUIRED'
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator: require-group
23:35:55,792 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-27) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) invoke authenticator.authenticate: require-group
23:35:55,792 WARN  [org.keycloak.events] (default task-27) type=LOGIN_ERROR, realmId=master, clientId=debug, userId=null, ipAddress=192.168.254.1, error=rejected_by_user, auth_method=openid-connect, auth_type=code, redirect_uri=https://oidcdebugger.com/debug, code_id=9e745c63-f1c3-4231-8f7d-a31693431371, username=test, authSessionParentId=9e745c63-f1c3-4231-8f7d-a31693431371, authSessionTabId=MD3FhYI0KiE

And this is what I get when the user IS in the group:

23:37:23,627 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) action: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test forms
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) execution 'auth-username-password-form' is processed
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'require-group', requirement: 'REQUIRED'
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-30) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) invoke authenticator.authenticate: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) Flow 'test forms flow' successfully finished
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test

I am still debugging, but if anyone can lead me to the right place to understand this behaviour I would be glad.

@NikMashei
Copy link

NikMashei commented Mar 11, 2021
edited
Loading

@toddas I use a different flow.

image

Although I can see the expected behaviour when users not in "test" group can not login, I do not like that I do not see in the debug logs the message I expect reading the source code. The message I expect in logs is:

image

But this is what I get: ( similar to yours )

23:35:55,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) action: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator SUCCESS: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) processFlow: test forms
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) execution 'auth-username-password-form' is processed
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'require-group', requirement: 'REQUIRED'
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator: require-group
23:35:55,792 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-27) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) invoke authenticator.authenticate: require-group
23:35:55,792 WARN  [org.keycloak.events] (default task-27) type=LOGIN_ERROR, realmId=master, clientId=debug, userId=null, ipAddress=192.168.254.1, error=rejected_by_user, auth_method=openid-connect, auth_type=code, redirect_uri=https://oidcdebugger.com/debug, code_id=9e745c63-f1c3-4231-8f7d-a31693431371, username=test, authSessionParentId=9e745c63-f1c3-4231-8f7d-a31693431371, authSessionTabId=MD3FhYI0KiE

And this is what I get when the user IS in the group:

23:37:23,627 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) action: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test forms
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) execution 'auth-username-password-form' is processed
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'require-group', requirement: 'REQUIRED'
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-30) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) invoke authenticator.authenticate: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) Flow 'test forms flow' successfully finished
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test

I am still debugging, but if anyone can lead me to the right place to understand this behaviour I would be glad.

I highly recommend you to 'override' behavior when user is not in group. It allows you to see auth error in your browser.

if (!isMemberOfGroup(realm, user, groupPath)) {

            String errorMessage = "Access denied because of missing group membership. realm=%s username=%s groupPath=%s";
            LOG.debugf(errorMessage, realm.getName(), user.getUsername(), groupPath);
            Response errorResponse = context.form()
                    .setError(errorMessage, null)
                    .createForm("error.ftl");
            context.failure(AuthenticationFlowError.INVALID_USER, errorResponse);
            return;
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsalatiel @toddas @NikMashei