Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-15629

problem in Automatically Link Existing First Login Flow + Disabling Automatic User Creation

    Details

    • Type: Bug
    • Status: Triage (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 11.0.2
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Hi,

      I am managing an one small group's account,

      company provide openid connection using MS AD SF at the enterprise level.

      so I want to set oidc for that and create all users manually 

      and user who is already registered can login, use some tool like jenkins.

      and if not registered, they can not login.

       

      I am following https://www.keycloak.org/docs/latest/server_admin/index.html#automatically-link-existing-first-login-flow

      and https://www.keycloak.org/docs/latest/server_admin/index.html#_disabling_automatic_user_creation

       

      here's how I did.

      install mariadb and keycloak 11.0.2 version.

      login admin console,

      create new realm

       

      Authentication > Flows > New

      Alias : Automatically Link

      Top Level Flow Type : generic

      Save

       

      Add execution >

      create Provider : Automatically Set Existing User 

      set Requirement : ALTERNATIVE

       

      Add execution > 

      create Provider : Create User If Unique

      set Requirement : ALTERNATIVE

       

      Flows > First Broker Login >

      Create User If Unique : DISABLED

      Confirm Link Existing Account : DISABLED

       

      select Identity Providers > OpenID Connect v1.0 

      First Login Flow : Automatically Link

      Sync Mode : force

      Authorization URL : input

      Token URL : input

      Logout URL : input

      Client Authentication : Client secret sent as post

      Client ID : input

      Client Secret : input

      (all others are default)

       

      setting some mappers

       

      Flows > Browser > Identity Provider Redirector > Actions > Config

      setting for does not show login window

       

      and create client for jenkins

      Clients > New

      Access Type: confidential

      Root URL : input

      Valid Redirect URIs : input

      (all others are default)

       

      and create some mappers.

       

      That's it. simple.

       

      and I install jenkins and set the connection with keycloak.

       

      I tested many times and here's conclusion.

      case 1) user created manually, and doesn't have idp link

      I found that the order is important, 

      if "Create User If Unique" is bottom of "Automatically Set Existing User", then will not act normally.

       

      case 2) user does not exist

      Because I set "Create User If Unique" to "DISABLED" at "First broker Login", I think keycloak will not create new user account, but it's not. User account is created.

       

      case 3) when if I set "Crete User If Unique" to "DISABLED" at "Automatically Link"

      new user will not be created, but existed account which is created manually (with no idp link) will not act normally

      like case 1) 

       

      Here' error message.

       
       

      14:00:09,486 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-41) Will use client 'jenkins' in back-to-application link
      14:00:09,486 DEBUG [org.keycloak.services.util.CookieHelper] (default task-41) {1} cookie found in the requests header
      14:00:09,486 DEBUG [org.keycloak.services.util.CookieHelper] (default task-41) {1} cookie found in the cookies field
      14:00:09,486 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-41) Found AUTH_SESSION_ID cookie with value e0ab2e76-bc43-4d2e-97e9-14a8e0d67d34.keycloak-test-keyclo-0
      14:00:09,486 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-41) AUTHENTICATE
      14:00:09,486 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-41) AUTHENTICATE ONLY
      14:00:09,486 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-41) processFlow: Automatically Link
      14:00:09,486 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-41) check execution: 'idp-auto-link', requirement: 'ALTERNATIVE'
      14:00:09,486 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-41) authenticator: idp-auto-link
      14:00:09,486 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-41) Going through the flow 'Automatically Link' for adding executions
      14:00:09,486 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-41) Selections when trying execution 'idp-auto-link' : [ authSelection - idp-auto-link]
      14:00:09,487 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-41) invoke authenticator.authenticate: idp-auto-link
      14:00:09,487 WARN  [org.keycloak.services] (default task-41) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
       at org.keycloak.keycloak-services@11.0.2//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:981)
       at org.keycloak.keycloak-services@11.0.2//org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:798)
       at org.keycloak.keycloak-services@11.0.2//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:840)
       at org.keycloak.keycloak-services@11.0.2//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:313)
       at org.keycloak.keycloak-services@11.0.2//org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:828)
       at org.keycloak.keycloak-services@11.0.2//org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:722)
       at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.base/java.lang.reflect.Method.invoke(Method.java:566)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:395)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:364)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
       at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
       at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
       at org.keycloak.keycloak-wildfly-extensions@11.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41) at org.keycloak.keycloak-services@11.0.2//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
       at org.keycloak.keycloak-wildfly-extensions@11.0.2//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
       at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
       at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
       at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
       at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
       at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
       at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
       at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
       at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
       at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:64)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59) at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
       at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
       at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
       at io.undertow.core@2.1.3.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
       at io.undertow.core@2.1.3.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
       at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
       at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
       at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
       at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
       at java.base/java.lang.Thread.run(Thread.java:834)
      14:00:09,487 WARN  [org.keycloak.events] (default task-41) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=test, clientId=jenkins, userId=null, ipAddress=10.251.186.xx, error=invalid_user_credentials, identity_provider=adsso, auth_method=openid-connect, redirect_uri=https://company.net/jenkins-test/securityRealm/finishLogin, identity_provider_identity=y9psfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, code_id=e0ab2e76-bc43-4d2e-d67d34, authSessionParentId=e0abd67d34, authSessionTabId=6nueGA
      

       

      For now, I think that I can not use this policy (only permit existed(manually created) user),

      and only can control using role or group.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                horangs Hokwang Lee
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: