5:45 a.m.
Hello all,
I have migrated an application to keycloak a couple of months ago,
however today I come to you with a problem I can not solve. The users
created on the QA environment are created as they should. They are part
of the "self-management" group as expected, however the users created
on the staging environment are not added to the group!
The thing that puzzles me is that the environments are a mirror of one
another, same docker images of the api client are promoted from our QA
to the client's staging. I have already checked and the keycloak helm
charts are on the same version and the keycloak docker images have the
same hash (6862c765d226).
The user that is invoking the API has the manage-users role on the
realm.
I would love some insight as to where should I look next as this is
puzzling me.
Below is an export of the requests from the browser. The response to
both is a 201 created, and there is no information on the logs or the
admin events regarding any failure to add the user to the group. I have
redacted the domain name and the token.
curl 'https://auth.staging.TLD/auth/admin/realms/acme/users' -H 'User-
Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101
Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5'
--
compressed -H 'Referer: https://mc.acme.staging.TLD/app/members/list/'
-H 'Authorization: Bearer VALID_TOKEN' -H 'content-type: application/json'
-H 'Origin: https://mc.acme.staging.TLD' -H 'Connection: keep-alive' -H
'TE:
Trailers' --data
'{"username":"tiago.batista+acmemember1@mindera.com","email":"tiago.bat
ista+acmemember1@mindera.com","firstName":"tiago","lastName":"member","
enabled":true,"groups":["self-management"]}'
curl 'https://auth.qa.TLD/auth/admin/realms/acme/users' -H 'User-Agent:
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101
Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5'
--
compressed -H 'Referer: http://mc.acme.qa.TLD/app/members/list' -H
'Authorization: Bearer VALID_TOKEN' -H 'content-type: application/json'
-H 'Origin: http://mc.acme.qa.TLD' -H 'Connection: keep-alive' -H
'TE:
Trailers' --data
'{"username":"tiago.batista+acmeqa1@mindera.com","email":"tiago.batista
+acmeqa1@mindera.com","firstName":"tiago","lastName":"member","enabled"
:true,"groups":["self-management"]}'
the token contains the following role on both environments:
"resource_access": {
"realm-management": {
"roles": [
"manage-users"
]
},
the staging environment has the following groups:
[
{
"id": "9fa577be-cf52-4f21-aa7f-770e7c1b81f3",
"name": "all-plinth-permissions",
"path": "/all-plinth-permissions",
"subGroups": []
},
{
"id": "5db60d20-3259-489c-8ac2-f684c3e7dd54",
"name": "self-management",
"path": "/self-management",
"subGroups": []
}
]
Anyone has any good idea as to where I should look next?
Regards,
Tiago
4:29 a.m.
Please disregard this, it was a simple mis-configuration on one of the
realms.
One of the realms had that group as a default group for new accounts,
so it appeared to work as I expected.
I ended up making a second invocation of the api to assign the user to
the correct group when creating a new account.
Regards,
Tiago
On Fri, 2019-06-21 at 11:45 +0100, Tiago Batista wrote:
Hello all,
I have migrated an application to keycloak a couple of months ago,
however today I come to you with a problem I can not solve. The users
created on the QA environment are created as they should. They are
part
of the "self-management" group as expected, however the users created
on the staging environment are not added to the group!
The thing that puzzles me is that the environments are a mirror of
one
another, same docker images of the api client are promoted from our
QA
to the client's staging. I have already checked and the keycloak helm
charts are on the same version and the keycloak docker images have
the
same hash (6862c765d226).
The user that is invoking the API has the manage-users role on the
realm.
I would love some insight as to where should I look next as this is
puzzling me.
Below is an export of the requests from the browser. The response to
both is a 201 created, and there is no information on the logs or the
admin events regarding any failure to add the user to the group. I
have
redacted the domain name and the token.
curl 'https://auth.staging.TLD/auth/admin/realms/acme/users' -H
'User-
Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0)
Gecko/20100101
Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5'
--
compressed -H 'Referer:
https://mc.acme.staging.TLD/app/members/list/'
-H 'Authorization: Bearer VALID_TOKEN' -H 'content-type:
application/json' -H 'Origin: https://mc.acme.staging.TLD' -H
'Connection: keep-alive' -H 'TE:
Trailers' --data
'{"username":"tiago.batista+acmemember1@mindera.com","email":"tiago.b
at
ista+acmemember1@mindera.com","firstName":"tiago","lastName":"member"
,"
enabled":true,"groups":["self-management"]}'
curl 'https://auth.qa.TLD/auth/admin/realms/acme/users' -H 'User-
Agent:
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101
Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5'
--
compressed -H 'Referer: http://mc.acme.qa.TLD/app/members/list' -H
'Authorization: Bearer VALID_TOKEN' -H 'content-type:
application/json'
-H 'Origin: http://mc.acme.qa.TLD' -H 'Connection: keep-alive' -H
'TE:
Trailers' --data
'{"username":"tiago.batista+acmeqa1@mindera.com","email":"tiago.batis
ta
+acmeqa1@mindera.com","firstName":"tiago","lastName":"member","enable
d"
:true,"groups":["self-management"]}'
the token contains the following role on both environments:
"resource_access": {
"realm-management": {
"roles": [
"manage-users"
]
},
the staging environment has the following groups:
[
{
"id": "9fa577be-cf52-4f21-aa7f-770e7c1b81f3",
"name": "all-plinth-permissions",
"path": "/all-plinth-permissions",
"subGroups": []
},
{
"id": "5db60d20-3259-489c-8ac2-f684c3e7dd54",
"name": "self-management",
"path": "/self-management",
"subGroups": []
}
]
Anyone has any good idea as to where I should look next?
Regards,
Tiago
2480
days inactive
2484
days old
1 comments
1 participants
participants (1)
-
Tiago Batista