[keycloak-user] When creating a user he is not added to the requested group (on only one of my instances)

Tiago Batista tiago.batista at mindera.com
Fri Jun 21 06:45:23 EDT 2019 

Hello all,

I have migrated an application to keycloak a couple of months ago,
however today I come to you with a problem I can not solve. The users
created on the QA environment are created as they should. They are part
of the "self-management" group as expected, however the users created
on the staging environment are not added to the group!

The thing that puzzles me is that the environments are a mirror of one
another, same docker images of the api client are promoted from our QA
to the client's staging. I have already checked and the keycloak helm
charts are on the same version and the keycloak docker images have the
same hash (6862c765d226).

The user that is invoking the API has the manage-users role on the
realm.

I would love some insight as to where should I look next as this is
puzzling me.

Below is an export of the requests from the browser. The response to
both is a 201 created, and there is no information on the logs or the
admin events regarding any failure to add the user to the group. I have
redacted the domain name and the token.

curl 'https://auth.staging.TLD/auth/admin/realms/acme/users' -H 'User-
Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101
Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --
compressed -H 'Referer: https://mc.acme.staging.TLD/app/members/list/'
-H 'Authorization: Bearer VALID_TOKEN' -H 'content-type: application/json' -H 'Origin: https://mc.acme.staging.TLD' -H 'Connection: keep-alive' -H 'TE:
Trailers' --data
'{"username":"tiago.batista+acmemember1 at mindera.com","email":"tiago.bat
ista+acmemember1 at mindera.com","firstName":"tiago","lastName":"member","
enabled":true,"groups":["self-management"]}'


curl 'https://auth.qa.TLD/auth/admin/realms/acme/users' -H 'User-Agent: 
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101
Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --
compressed -H 'Referer: http://mc.acme.qa.TLD/app/members/list' -H
'Authorization: Bearer VALID_TOKEN' -H 'content-type: application/json'
-H 'Origin: http://mc.acme.qa.TLD' -H 'Connection: keep-alive' -H 'TE:
Trailers' --data
'{"username":"tiago.batista+acmeqa1 at mindera.com","email":"tiago.batista
+acmeqa1 at mindera.com","firstName":"tiago","lastName":"member","enabled"
:true,"groups":["self-management"]}'


the token contains the following role on both environments:

"resource_access": {
    "realm-management": {
      "roles": [
        "manage-users"
      ]
    },

the staging environment has the following groups:

[
    {
        "id": "9fa577be-cf52-4f21-aa7f-770e7c1b81f3",
        "name": "all-plinth-permissions",
        "path": "/all-plinth-permissions",
        "subGroups": []
    },
    {
        "id": "5db60d20-3259-489c-8ac2-f684c3e7dd54",
        "name": "self-management",
        "path": "/self-management",
        "subGroups": []
    }
]

Anyone has any good idea as to where I should look next?

Regards,

Tiago

More information about the keycloak-user mailing list