[keycloak-user] User roles deleted after SSO idle session expires
MEHDi CHAABOUNi
mehdi.chaabouni at gmail.com
Wed Mar 20 10:00:46 EDT 2019
Hi,
I'm using Azure Active Directory to authenticate users and I have setup
custom mappers to import roles (mapping groups from Active Directory to
Keycloak roles).
I'm pretty sure the scenario was not working before. There was a lot of
development on the front-end application so we didn't notice the problem
until we started using it.
When the problem occurs for a user, he's still logged in to the application
but all the features are disabled because he has no role (The assigned
roles section in keycloak is empty).
The logs I sent yesterday mention:
DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
task-1) Token will not be stored for identity provider [microsoft]
which is logged in the method
IdentityBrokerService.authenticated(BrokeredIdentityContext context)
Going through that method, I found this piece of code:
Set<IdentityProviderMapperModel> mappers =
realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
if (mappers != null) {
KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
for (IdentityProviderMapperModel mapper : mappers) {
IdentityProviderMapper target =
(IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class,
mapper.getIdentityProviderMapper());
target.preprocessFederatedIdentity(session, realmModel,
mapper, context);
}
}
That's why I suspect that the mappers are not triggered.
Thanks!
On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com> wrote:
> Hi,
>
> Are you using a broker to authenticate your users ? Your setup is not
> clear if that is the case, so I'm not sure if the method you pointed out is
> related.
>
> Can you confirm that this scenario was working before?
>
> By losing roles, you mean they are not within the access token?
>
> Regards.
> Pedro Igor
>
>
>
> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
> wrote:
>
>> Hi,
>>
>> This is our Keycloak setup:
>>
>> - Keycloak docker container 4.4.0.Final
>> - Azure Active Directory (mapping groups to roles)
>> - Keycloak client protocol: openid-connect
>> - 3 optional client scopes
>
>
>>
>>
>> We noticed lately that users using the front-end application (angular) are
>> losing all roles after the SSO idle session expires.
>> This behaviour is also seen in the 4.8.3.Final version.
>> It seems that the Identity Provider Mappers are not triggered for some
>> reason and I can't dig any deeper nothing much is logged in the method
>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>
>> Any ideas?
>> How can I run Keycloak form source?
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
More information about the keycloak-user
mailing list