[keycloak-user] Creating a federated user via REST API creates an incorrect entry in the CREDENTIAL table

Rainer-Harbach Marian marian.rainer-harbach at apa.at
Wed Sep 13 03:36:06 EDT 2017


Hi everyone,

about two weeks ago I stumbled upon a phenomenon which I believe to be a 
bug in Keycloak. The error occurs when creating a new user via the REST 
API in a realm configured with LDAP user federation: The user is created 
in LDAP, but without a password -- instead, Keycloak creates an entry 
for the user in its internal CREDENTIAL database table.

When the user later changes their password, Keycloak writes the new 
password to LDAP, but keeps the old entry in the CREDENTIAL table. The 
user can then still only login with the old password.

I created a Jira ticket for this problem:
https://issues.jboss.org/browse/KEYCLOAK-5383

It would be very helpful to us if someone could check if they can 
reproduce the problem (maybe we are doing something wrong?) and if it's 
indeed a bug in Keycloak to give an estimate when it might be fixed.

The bug is a blocker in our project to deploy Keycloak for about 100k users.

Thanks,
Marian



More information about the keycloak-user mailing list