Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1681

[GHI#29426] Potential bug introduced to JavaKeystoreKeyProvider in #26936

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      admin/api

      Describe the bug

      Hi,

      I am one of the maintainers of the https://github.com/silentpartnersoftware/Keycloak.Net/ repo, which provides a .NET client for interacting with the Keycloak API.

      Starting in version 24 one of our users noticed that the serverinfo endpoint is no longer parsing correctly. I have traced this back to the "Intended algorithm for the key" property which used to have a list of options, with a default value of "RS256" but now has a list of default values and no options.

      v23.0.4
      !image

      v24.0.4
      !image

      I am not sure if this change was intentional or not, but it appears as though this change was likely introduced in the PR:
      "Support EC Key-Imports for the JavaKeystoreKeyProvider #26936" (#27030)

      Specifically at this line:
      ```

      // merge the algorithms supported for RSA and EC keys and provide them as one configuration property
      private static ProviderConfigProperty mergedAlgorithmProperties() {
          List<String> ecAlgorithms = List.of(Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
          List<String> algorithms = Stream.concat(Attributes.RS_ALGORITHM_PROPERTY.getOptions().stream(), ecAlgorithms.stream()).toList();
          return new ProviderConfigProperty(Attributes.ALGORITHM_KEY, "Algorithm", "Intended algorithm for the key", LIST_TYPE, algorithms.toArray());
      
      }
      

      ```

      I believe that the incorrect ProviderConfigProperty constructor was called, and instead of passing in a defaultValue, followed by the options, the defaultValue was omitted and the options became the defaultValue. The type for the defaultValue parameter is Object, so it would be possible to accidentally pass in a List instead of a String.

      The constructor used was the one on line 84, but I suspect the intention was to use the one on line 92

      If this change was intentional then this issue can be closed, if not it would be appreciated if this could be resolved.

      Thanks,
      Campbell

      Version

      24.0.4

      Regression

      [X] The issue is a regression

      Expected behavior

      "Intended algorithm for the key" should have a defaultValue and options

      Actual behavior

      "Intended algorithm for the key" options are unintentionally stored in the defaultValue property, and no options (or correct defaultValue) are provided

      How to Reproduce?

      Call the /admin/serverinfo endpoint and look at the structure of "Intended algorithm for the key" in both 23.0.4 and 24.0.4.

      Path componentTypes['org.keycloak.keys.KeyProvider'][4].properties[3].defaultValue

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: