Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12437

User creation is broken if msad-user-account-control-mapper is enabled

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Before 8.0.0/11802, users were created perfectly with msad-user-account-control-mapper, but now user creation flow is broken.

      After creating user in the web console, user is also created in AD with userAccountControl = 546 and pwdLastSet = 0, which makes sense. The UPDATE_PASSWORD flag is also set.

      The update password email is not sent, though. Investigating a little further, email is not being sent with the message "User is disabled".

      Follows an example of a creation flow that is failing:

      fun createUser() {
      
              val realm = keycloak.realm("company")
      
              val userRepresentation = UserRepresentation()
              userRepresentation.isEnabled = true
              userRepresentation.firstName = "Test"
              userRepresentation.lastName = "User"
              userRepresentation.email = "it.support@company.com"
              userRepresentation.username = "test.user"
      
              val create = realm.users().create(userRepresentation)
              println(create.status)
      
              val userFound = realm.users().search("test.user")[0]
              println(userFound.isEnabled)
      
              try {
                  realm.users().get(userFound.id).executeActionsEmail(listOf("UPDATE_PASSWORD"))
              } catch (e: BadRequestException) {
                  val stream = e.response.entity as ByteArrayInputStream
                  val n: Int = stream.available()
                  val bytes = ByteArray(n)
                  stream.read(bytes, 0, n)
                  val s = String(bytes, StandardCharsets.UTF_8)
                  println(s)
              }
          }
      

      Output is:

      // create
      201
      // isEnabled
      false
      // execute UPDATE_PASSWORD
      {"errorMessage":"User is disabled"}
      

      Before 8.0.0 we had a special treat for when pwdLastSet = 0, in which case we would return kcEnable, but that was removed in https://github.com/keycloak/keycloak/commit/e018ca3e29cd5f0d3a362a3d4a3749c4893f44c6

      We should either go back to the previous isEnabled logic or allow the email to be sent for disabled users (the problem might be bigger than just update password action, as setting a password manually seems to be failing for me as well on disabled users)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  brunojcm Bruno Medeiros
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: