Bug in User Federation pages in Keycloak admin UI? Bind credentials are incorrect - test authentication fails
11:36 a.m.
Hi,
I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User Federation pages
concerning the Bind Credential fields. The Bind Credential is fine in the Keycloak
database (COMPONENT_CONFIG table these days) and everything works fine except the
following scenario:
1/ Log in to Keycloak admin UI as an admin
2/ Go to a User Federation and select an LDAP user federation provider (assuming you have
one of course). You already notice that the value of the Bind Credential field has too few
characters.
3/ Now click on the ‘Test authentication’. This fails with 'Error! LDAP authentication
failed.' The issue is that the bind credential is wrong.
4/ However click on ‘Synchronize all users’ and this works just fine. So the bind
credential used here (the one in the database) is just fine.
5/ Now enter the correct bind credential in the Bind Credential field
6/ Test authentication now works fine
7/ Click Save
8/ Click Test authentication and it fails again, same as in step 3
I think the issue is with this admin page. It seems to do something with the bind
credentials it gets from the database. Maybe it wants to unhash it or something but it is
not hashed in the database at all (just plain text). Which maybe it is the real issue
here?
Is this indeed a bug and if so shall I create a bug report for it?
cheers
1:31 p.m.
Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038
On 9 January 2017 at 11:36, Edgar Vonk - Info.nl <Edgar(a)info.nl> wrote:
Hi,
I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User
Federation pages concerning the Bind Credential fields. The Bind Credential
is fine in the Keycloak database (COMPONENT_CONFIG table these days) and
everything works fine except the following scenario:
1/ Log in to Keycloak admin UI as an admin
2/ Go to a User Federation and select an LDAP user federation provider
(assuming you have one of course). You already notice that the value of the
Bind Credential field has too few characters.
3/ Now click on the ‘Test authentication’. This fails with 'Error! LDAP
authentication failed.' The issue is that the bind credential is wrong.
4/ However click on ‘Synchronize all users’ and this works just fine. So
the bind credential used here (the one in the database) is just fine.
5/ Now enter the correct bind credential in the Bind Credential field
6/ Test authentication now works fine
7/ Click Save
8/ Click Test authentication and it fails again, same as in step 3
I think the issue is with this admin page. It seems to do something with
the bind credentials it gets from the database. Maybe it wants to unhash it
or something but it is not hashed in the database at all (just plain text).
Which maybe it is the real issue here?
Is this indeed a bug and if so shall I create a bug report for it?
cheers
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:38 p.m.
Excellent. Thanks!
But regarding my point on storing the bind credentials, does it make sense that I create a
feature request to store these in a hashed form in the Keycloak database instead of plain
text?
I guess you would then need to distinguish between normal component config attributes and
‘credential’ component config attributes or something
cheers
On 9 Jan 2017, at 13:31, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038
On 9 January 2017 at 11:36, Edgar Vonk - Info.nl<http://Info.nl>
<Edgar@info.nl<mailto:Edgar@info.nl>> wrote:
Hi,
I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User Federation pages
concerning the Bind Credential fields. The Bind Credential is fine in the Keycloak
database (COMPONENT_CONFIG table these days) and everything works fine except the
following scenario:
1/ Log in to Keycloak admin UI as an admin
2/ Go to a User Federation and select an LDAP user federation provider (assuming you have
one of course). You already notice that the value of the Bind Credential field has too few
characters.
3/ Now click on the ‘Test authentication’. This fails with 'Error! LDAP authentication
failed.' The issue is that the bind credential is wrong.
4/ However click on ‘Synchronize all users’ and this works just fine. So the bind
credential used here (the one in the database) is just fine.
5/ Now enter the correct bind credential in the Bind Credential field
6/ Test authentication now works fine
7/ Click Save
8/ Click Test authentication and it fails again, same as in step 3
I think the issue is with this admin page. It seems to do something with the bind
credentials it gets from the database. Maybe it wants to unhash it or something but it is
not hashed in the database at all (just plain text). Which maybe it is the real issue
here?
Is this indeed a bug and if so shall I create a bug report for it?
cheers
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:04 a.m.
You can't store the credentials hashed, but they can be encrypted and we
have an issue open already for that (
https://issues.jboss.org/browse/KEYCLOAK-3205).
On 9 January 2017 at 14:38, Edgar Vonk - Info.nl <Edgar(a)info.nl> wrote:
Excellent. Thanks!
But regarding my point on storing the bind credentials, does it make sense
that I create a feature request to store these in a hashed form in the
Keycloak database instead of plain text?
I guess you would then need to distinguish between normal component config
attributes and ‘credential’ component config attributes or something
cheers
On 9 Jan 2017, at 13:31, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038
On 9 January 2017 at 11:36, Edgar Vonk - Info.nl <Edgar(a)info.nl> wrote:
> Hi,
>
> I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User
> Federation pages concerning the Bind Credential fields. The Bind Credential
> is fine in the Keycloak database (COMPONENT_CONFIG table these days) and
> everything works fine except the following scenario:
>
> 1/ Log in to Keycloak admin UI as an admin
> 2/ Go to a User Federation and select an LDAP user federation provider
> (assuming you have one of course). You already notice that the value of the
> Bind Credential field has too few characters.
> 3/ Now click on the ‘Test authentication’. This fails with 'Error! LDAP
> authentication failed.' The issue is that the bind credential is wrong.
> 4/ However click on ‘Synchronize all users’ and this works just fine. So
> the bind credential used here (the one in the database) is just fine.
> 5/ Now enter the correct bind credential in the Bind Credential field
> 6/ Test authentication now works fine
> 7/ Click Save
> 8/ Click Test authentication and it fails again, same as in step 3
>
> I think the issue is with this admin page. It seems to do something with
> the bind credentials it gets from the database. Maybe it wants to unhash it
> or something but it is not hashed in the database at all (just plain text).
> Which maybe it is the real issue here?
>
> Is this indeed a bug and if so shall I create a bug report for it?
>
> cheers
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2656
days inactive
2657
days old
3 comments
2 participants
participants (2)
-
Edgar Vonk - Info.nl -
Stian Thorgersen