[keycloak-user] User roles deleted after SSO idle session expires

Pedro Igor Silva psilva at redhat.com
Wed Mar 20 15:15:47 EDT 2019 

Btw, just talked with Marek and he told me there is an issue for the
behaviour I mentioned https://issues.jboss.org/browse/KEYCLOAK-8690.

On Wed, Mar 20, 2019 at 4:07 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Are you using a "Claim to Role" identity mapper ? Are you mapping groups
> to roles in the realm ?
>
> Asking because, I think that this specific mapper is only removing roles
> in case there is no claim in the token from the IdP. So roles are mapped
> and granted only during the first login.
>
>
> On Wed, Mar 20, 2019 at 12:53 PM MEHDi CHAABOUNi <
> mehdi.chaabouni at gmail.com> wrote:
>
>> They are identity provider mappers.
>>
>> We do see in the logs that groups being received from AD:
>>
>> {
>>   "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
>>   "amr": "[\"pwd\",\"mfa\"]",
>>   "family_name": "Chaabouni",
>>   "given_name": "Mehdi",
>>   "ipaddr": "207.96.238.194",
>>   "name": "Mehdi Chaabouni",
>>   "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
>>   "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
>>   "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
>>   "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
>>   "unique_name": "mchaabouni at test.com",
>>   "upn": "mchaabouni at test.com",
>>   "uti": "ea2dC_nciUGsfUk4mr4SAQ",
>>   "ver": "1.0",
>>   "groups": [
>>     "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
>>   ]
>> }
>>
>>
>> The groups are mapped correctly the first time that the user is imported
>> into keycloak.
>>
>>
>> On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Your custom mappers are client mappers or identity provider mappers ? It
>>> does not make sense an empty list of mappers if you have defined mappers to
>>> your identity provider.
>>>
>>> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
>>> mehdi.chaabouni at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm using Azure Active Directory to authenticate users and I have setup
>>>> custom mappers to import roles (mapping groups from Active Directory to
>>>> Keycloak roles).
>>>> I'm pretty sure the scenario was not working before. There was a lot of
>>>> development on the front-end application so we didn't notice the problem
>>>> until we started using it.
>>>> When the problem occurs for a user, he's still logged in to the
>>>> application but all the features are disabled because he has no role (The
>>>> assigned roles section in keycloak is empty).
>>>>
>>>> The logs I sent yesterday mention:
>>>> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
>>>> task-1) Token will not be stored for identity provider [microsoft]
>>>>
>>>> which is logged in the method
>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>>>
>>>> Going through that method, I found this piece of code:
>>>>
>>>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>>>> if (mappers != null) {
>>>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>>>     for (IdentityProviderMapperModel mapper : mappers) {
>>>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>>>     }
>>>> }
>>>>
>>>> That's why I suspect that the mappers are not triggered.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Are you using a broker to authenticate your users ? Your setup is not
>>>>> clear if that is the case, so I'm not sure if the method you pointed out is
>>>>> related.
>>>>>
>>>>> Can you confirm that this scenario was working before?
>>>>>
>>>>> By losing roles, you mean they are not within the access token?
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> This is our Keycloak setup:
>>>>>>
>>>>>>    - Keycloak docker container 4.4.0.Final
>>>>>>    - Azure Active Directory (mapping groups to roles)
>>>>>>    - Keycloak client protocol: openid-connect
>>>>>>    - 3 optional client scopes
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> We noticed lately that users using the front-end application
>>>>>> (angular) are
>>>>>> losing all roles after the SSO idle session expires.
>>>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>>>> It seems that the Identity Provider Mappers are not triggered for some
>>>>>> reason and I can't dig any deeper nothing much is logged in the method
>>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>>>>
>>>>>> Any ideas?
>>>>>> How can I run Keycloak form source?
>>>>>>
>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>

More information about the keycloak-user mailing list