[keycloak-user] User roles deleted after SSO idle session expires
Pedro Igor Silva
psilva at redhat.com
Wed Mar 20 10:42:33 EDT 2019
Your custom mappers are client mappers or identity provider mappers ? It
does not make sense an empty list of mappers if you have defined mappers to
your identity provider.
On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
wrote:
> Hi,
>
> I'm using Azure Active Directory to authenticate users and I have setup
> custom mappers to import roles (mapping groups from Active Directory to
> Keycloak roles).
> I'm pretty sure the scenario was not working before. There was a lot of
> development on the front-end application so we didn't notice the problem
> until we started using it.
> When the problem occurs for a user, he's still logged in to the
> application but all the features are disabled because he has no role (The
> assigned roles section in keycloak is empty).
>
> The logs I sent yesterday mention:
> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
> task-1) Token will not be stored for identity provider [microsoft]
>
> which is logged in the method
> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>
> Going through that method, I found this piece of code:
>
> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
> if (mappers != null) {
> KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
> for (IdentityProviderMapperModel mapper : mappers) {
> IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
> target.preprocessFederatedIdentity(session, realmModel, mapper, context);
> }
> }
>
> That's why I suspect that the mappers are not triggered.
>
> Thanks!
>
>
>
>
> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> Are you using a broker to authenticate your users ? Your setup is not
>> clear if that is the case, so I'm not sure if the method you pointed out is
>> related.
>>
>> Can you confirm that this scenario was working before?
>>
>> By losing roles, you mean they are not within the access token?
>>
>> Regards.
>> Pedro Igor
>>
>>
>>
>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>> mehdi.chaabouni at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> This is our Keycloak setup:
>>>
>>> - Keycloak docker container 4.4.0.Final
>>> - Azure Active Directory (mapping groups to roles)
>>> - Keycloak client protocol: openid-connect
>>> - 3 optional client scopes
>>
>>
>>>
>>>
>>> We noticed lately that users using the front-end application (angular)
>>> are
>>> losing all roles after the SSO idle session expires.
>>> This behaviour is also seen in the 4.8.3.Final version.
>>> It seems that the Identity Provider Mappers are not triggered for some
>>> reason and I can't dig any deeper nothing much is logged in the method
>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>
>>> Any ideas?
>>> How can I run Keycloak form source?
>>>
>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
More information about the keycloak-user
mailing list