[keycloak-user] Bug in User Federation pages in Keycloak admin UI? Bind credentials are incorrect - test authentication fails
Stian Thorgersen
sthorger at redhat.com
Tue Jan 10 00:04:53 EST 2017
You can't store the credentials hashed, but they can be encrypted and we
have an issue open already for that (
https://issues.jboss.org/browse/KEYCLOAK-3205).
On 9 January 2017 at 14:38, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
> Excellent. Thanks!
>
> But regarding my point on storing the bind credentials, does it make sense
> that I create a feature request to store these in a hashed form in the
> Keycloak database instead of plain text?
>
> I guess you would then need to distinguish between normal component config
> attributes and ‘credential’ component config attributes or something
>
> cheers
>
>
> On 9 Jan 2017, at 13:31, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038
>
> On 9 January 2017 at 11:36, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
>
>> Hi,
>>
>> I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User
>> Federation pages concerning the Bind Credential fields. The Bind Credential
>> is fine in the Keycloak database (COMPONENT_CONFIG table these days) and
>> everything works fine except the following scenario:
>>
>> 1/ Log in to Keycloak admin UI as an admin
>> 2/ Go to a User Federation and select an LDAP user federation provider
>> (assuming you have one of course). You already notice that the value of the
>> Bind Credential field has too few characters.
>> 3/ Now click on the ‘Test authentication’. This fails with 'Error! LDAP
>> authentication failed.' The issue is that the bind credential is wrong.
>> 4/ However click on ‘Synchronize all users’ and this works just fine. So
>> the bind credential used here (the one in the database) is just fine.
>> 5/ Now enter the correct bind credential in the Bind Credential field
>> 6/ Test authentication now works fine
>> 7/ Click Save
>> 8/ Click Test authentication and it fails again, same as in step 3
>>
>> I think the issue is with this admin page. It seems to do something with
>> the bind credentials it gets from the database. Maybe it wants to unhash it
>> or something but it is not hashed in the database at all (just plain text).
>> Which maybe it is the real issue here?
>>
>> Is this indeed a bug and if so shall I create a bug report for it?
>>
>> cheers
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
More information about the keycloak-user
mailing list