Keycloak Identity Broker - Possible to create invalid User-Accounts - keycloak

When using Keycloak as an Identity Broker there seems to be an issue with some usernames. Default behavior of Keycloak is that when some info (username/email/firstname/lastname) is missing the "Update Account Information" is displayed.
So far so good. The issue though is that you can actually save an invalid username that way, e.g. (asd/fölkj - notice the slash). Now I basically created a broken user that can no longer be modified, not even using the Admin-UI:
[
You can't save it like that because the username is invalid, but you can't change the username since it is read-only.
This seems to be a bug. The bigger issue for me though is that the IDP we are connecting to does not return the email-claim (otherwise I could use that as username too). It only returns a "sub" and since sadly this DOES contain slashes the account is broken if the user does not pick another username. I took a look at the "UsernameTemplateMapper", but they seem a bit limited. Is there any way to just remove all slashes from the "sub"-claim and STILL use it as default username?

Related

Where does ${authAdminUrl} come from?

for the default clients (i.e. admin) the Base URL is set to /realms/something/account/. The Root URL is set to ${authBaseUrl}.
When I look in the clients overview, I can see the Base URL is shown as https://mydomain/auth/realms/something/account/
I'm trying to understand where the values mydomain and auth come from.
I´ve read Where does ${authAdminUrl} come from and how do I manipulate it? and can confirm that the variable is not set in standalone.xml and also not set via environment variable KEYCLOAK_HOSTNAME.
This page: https://www.keycloak.org/server/hostname#_administration_console doesn't mention authAdminUrl explicitly, but the value specified in --hostname-admin-url as suggested there got picked in admin clients that use authAdminUrl in my environment.

Keycloak registration throws HTTP 500 for duplicate email

I know there's an earlier question with this subject here, but the OP never reported if the one answer resolved the issue. And since
Internal Server Error
is about as user-unfriendly as you can get, I would love to change this to something that feels more like "a message" than "an anvil dropped on your foot".
I have found one other SO post that tangentially relates to this issue (about that disappearing "duplicate emails" switch), but the problem is indeed not about whether or not to allow duplicate emails (or how to revive hidden admin controls) but how a very ordinary issue is communicated to the user - well, like how Keycloak notifies the user when they try and register with an existing username.
We're currently using the Docker version of Keycloak 12.0.4 with some customisations (a custom BCrypt module, some logging changes) running in IBM Cloud, using a Postgresql DB. We also added a custom theme & internationalisation. The same error occurs also when using the default Keycloak theme, though.
Here are our Login settings:
It turned out to be a configuration issue, but so deeply hidden that even the Keycloak developer who looked into the ticket I created had glossed over it.
The perpetrator was in menu Configure > Authentication > tab: Flows > choose dropdown: Registration > Profile validation radio button [o REQUIRED | o DISABLED]
This was set to disabled, which in effect prevents the duplicate email check in the registration form that the Realm settings > tab: Login form suggest are active. But then, of course, the database won't like that, with above-mentioned result.
This combination of settings should at least issue a warning, of course. I hope this will be corrected.

REST API User Resource and its Password

I'm still learning REST API principles and this one still confuses me. Password inside User Resource is private and of course cannot be placed in a response, while sometimes we need to get user data for public (e.g. when someone seeing someone else's user page). How do we handle this based on REST API principles? Should I remove password inside response before sending it?
Yes, you should not return the password in response. I would suggest you should create two DTOs
UserInputDTO: This contains the password and other values
UserOutputDTO: Here you have only those fields which are useful for the output and we can exclude password field and fields related to your internal implementation.
If your input and output looks same then you can add JsonIgnore annotation on the password field.
If by removing you meant setting it null then still the user can see the fieldname password, and if at any time you forgot to set it null then it will be a security issue. To solve this issue, you can use the JsonIgnore annotation.

Preventing user from modifying their name in Keycloak

In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
I came across a similar problem and after reading this SO post, came to know that although you can disable/hide fields in ftl, you cannot disable form validation
For e.g I hid firstname field , but still cannot submit. Same was the result with disable as well:
I am not aware about disabling a particular field in some other way. However there is a workaround in which you can disable the entire account modification flow (Password can still be changed by Forgot Password option).
Bu default, account modification is enabled, but you can disable it for a particular realm by going to Realms -> Clients -> Account.
The result of this will be, the account page will be inaccessible:
You can remove the client role 'manage_account' for client 'account'.
In Keycloak, by default, users are able to change their first and last
name in the account manager page. Is it possible to disable this
behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully
supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
Go to the according Realm;
Go to the tab General;
Set User Profile enabled to ON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
You can use readonly property to disable email you can just change the following line:
<input type="text" class="form-control" id="email" name="email" readonly autofocus value="${(account.email!'')}"/>

Keycloak says it imports users but they don't show up

I've setup keycloak to import users from an openldap server. As a test run, I went with the default h2 to see if I could get it running. It connects and authenticates correctly. Once I hit synchronize all users, it reports back Success x imported users, 0 changed users. After going into Manage=>Users and clicking on View all Users, it only shows a generic Username user with the email user#user.com.
The only information I get from server.log is the warning message below.
I'm not sure what direction to look for how to fix this. Is there some sort of other place I should look for an error message or some other thing I should try?
2018-12-19 15:56:31,209 WARN [org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction] (default task-7) Not present cache item for key LoginFailureKey [ realmId=namis. userId=14ed02d1-3ac3-4911-a377-80863f2bde70 ]
Update:
I checked the user_entity table after import and the users are there. Once I go to Manage Users, the users from the realm disappear from the database.
I turned on trace level logging and found the error message
[org.keycloak.storage.UserStorageManager] (default task-1) Removed invalid user 'John Doe'
I searched through the source code and found the function,importValidation, that calls the function which removes the user. This seems to happen when a storage provider is null or validate is called on a user and realm and it returns a null UserModel.
I also had this issue today and it's possible to just remove the username mapper altogether, as the username attribute is already mapped from Username LDAP attribute in User Federation settings.
It turns out I had one of the mappers incorrect. The username mapper was not mapped to the correct ldap attribute.