Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7950

Users endpoint with pagination does not return all visible users when using fine-grained permissions

    XMLWordPrintable

Details

    • Keycloak Sprint 12, Keycloak Sprint 13
    • Hide

      We reduced our problem to the following scenario:
      Preconditions:
      1. create 100 users
      2. create group1 with user1, user2, and user99
      3. give user1 the permission to view users from group1 (realm-management.query-users + permission/policy matching user one with scope view-members)

      Steps to reproduce:
      1. login to the Keycloak Admin Console as user1
      2. go to Manage -> Users and click "view all users" (GET /auth/admin/realms/master/users)

      Obeserved Behavior:
      1. Admin Console displays user1 and user2 (response contains user1, user2)

      Expected Behavior:
      1. Admin Console displays user1, user2 and user99 (response contains user1, user2, user99)

      Show
      We reduced our problem to the following scenario: Preconditions: 1. create 100 users 2. create group1 with user1, user2, and user99 3. give user1 the permission to view users from group1 (realm-management.query-users + permission/policy matching user one with scope view-members) Steps to reproduce: 1. login to the Keycloak Admin Console as user1 2. go to Manage -> Users and click "view all users" (GET /auth/admin/realms/master/users) Obeserved Behavior: 1. Admin Console displays user1 and user2 (response contains user1, user2) Expected Behavior: 1. Admin Console displays user1, user2 and user99 (response contains user1, user2, user99)
    • NEW
    • NEW

    Description

      we are currently experiencing issues with the "View all users" functionality of the Keycloak Admin Console and the respective API call to /auth/admin/realms/

      {realm}

      /users. In our case an administrator does not get all users for which he/she has the permission to view them.

      After further investigation we came to the conclusion that there is a problem/bug in the Keycloak Admin API which affects the interaction between the Admin Console and Keycloak.

      tl;dr The Keycloak Admin Console initially requests only the first 20 users. Keycloak then queries the first 20 available users. Before returning the list, Keycloak filters all users for which the requesting user has no authorization to view them. Therefore, the Admin Console might receive a list with less then the expected number of users which does not contain all viewable users. The web interface then assumes that it received all available users and does not offer the option to query in the remaining user database (e.g. displaying a next button) and might therefore miss some of the available user.

      Analysis:
      The Keycloak Admin Console performs a GET request to /auth/admin/realms/master/users?first=0&max=20 when the user clicks on "View all users" in the user overview (Manage -> Users).

      In Keycloak the method getUsers() from the class 'org.keycloak.services.resources.admin.UsersResources' handles the mentioned request to /users. The getUsers() method then retrieves the first users. The query is limited between the elements defined by the parameters 'first' and 'max'. For instance, in the query from the Admin Console, getUsers() tries to get the first 20 users.

      Afterwards, getUsers() checks for each of the users which have been returned by the query whether the user that performed the request is allowed to view the found users. In the example described above (user1 can see group1 with user1, user2 and user99) the query returns the users 1 to 20. Afterwards, getUsers() filters all users except user1 and user2 because user1 has no permission to view others queried users. Since user99 was not among the queried users it is not part of the returned user list either even he/she is among the first 20 viewable users.

      Keycloak then only returns the list of queried users for which the requesting user has the permission to view them. The user who performed the request is not able to recognize that the returned list is missing viewable users. Since the number of received users is less then the number of requested users, the Admin Console seems to further assume that there are no more viewable users in the Keycloak system. Because of that the Admin Console does not offer options for pagination and does not display a hint that there might be missing users.

      For us there are at least three variants to solve this issue:
      1. Keycloak should query for users until it reaches the number of requested viewable users or until it has evaluated all available users (-> can lead to performance issues with an increasing number of users, in the worst case Keycloak needs to pull all users out of the database just to find out the current user might see none)
      2. Do the same thing but in the admin console (-> no changes in Keycloak but lots of request, probably even worse idea)
      3. Since groups are the resources a user needs to have view-members scope to see users, retrieve all groups from the database, filter out groups without view-members scope and then do a join by group membership and limit the result by paging. (-> less generalized approach, probably better performance as long as there are not too many groups)

      We are currently thinking about prototyping a solution for option 3.

      Attachments

        Activity

          People

            psilva@redhat.com Pedro Igor Craveiro
            sebastianschuster Sebastian Schuster
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: