[keycloak-user] When creating a user he is not added to the requested group (on only one of my instances)

Tiago Batista tiago.batista at mindera.com
Tue Jun 25 05:29:12 EDT 2019


Please disregard this, it was a simple mis-configuration on one of the
realms.

One of the realms had that group as a default group for new accounts,
so it appeared to work as I expected.

I ended up making a second invocation of the api to assign the user to
the correct group when creating a new account.

Regards,

Tiago

On Fri, 2019-06-21 at 11:45 +0100, Tiago Batista wrote:
> Hello all,
> 
> I have migrated an application to keycloak a couple of months ago,
> however today I come to you with a problem I can not solve. The users
> created on the QA environment are created as they should. They are
> part
> of the "self-management" group as expected, however the users created
> on the staging environment are not added to the group!
> 
> The thing that puzzles me is that the environments are a mirror of
> one
> another, same docker images of the api client are promoted from our
> QA
> to the client's staging. I have already checked and the keycloak helm
> charts are on the same version and the keycloak docker images have
> the
> same hash (6862c765d226).
> 
> The user that is invoking the API has the manage-users role on the
> realm.
> 
> I would love some insight as to where should I look next as this is
> puzzling me.
> 
> Below is an export of the requests from the browser. The response to
> both is a 201 created, and there is no information on the logs or the
> admin events regarding any failure to add the user to the group. I
> have
> redacted the domain name and the token.
> 
> curl 'https://auth.staging.TLD/auth/admin/realms/acme/users' -H
> 'User-
> Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0)
> Gecko/20100101
> Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5'
> --
> compressed -H 'Referer: 
> https://mc.acme.staging.TLD/app/members/list/'
> -H 'Authorization: Bearer VALID_TOKEN' -H 'content-type:
> application/json' -H 'Origin: https://mc.acme.staging.TLD' -H
> 'Connection: keep-alive' -H 'TE:
> Trailers' --data
> '{"username":"tiago.batista+acmemember1 at mindera.com","email":"tiago.b
> at
> ista+acmemember1 at mindera.com","firstName":"tiago","lastName":"member"
> ,"
> enabled":true,"groups":["self-management"]}'
> 
> 
> curl 'https://auth.qa.TLD/auth/admin/realms/acme/users' -H 'User-
> Agent: 
> Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101
> Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5'
> --
> compressed -H 'Referer: http://mc.acme.qa.TLD/app/members/list' -H
> 'Authorization: Bearer VALID_TOKEN' -H 'content-type:
> application/json'
> -H 'Origin: http://mc.acme.qa.TLD' -H 'Connection: keep-alive' -H
> 'TE:
> Trailers' --data
> '{"username":"tiago.batista+acmeqa1 at mindera.com","email":"tiago.batis
> ta
> +acmeqa1 at mindera.com","firstName":"tiago","lastName":"member","enable
> d"
> :true,"groups":["self-management"]}'
> 
> 
> the token contains the following role on both environments:
> 
> "resource_access": {
>     "realm-management": {
>       "roles": [
>         "manage-users"
>       ]
>     },
> 
> the staging environment has the following groups:
> 
> [
>     {
>         "id": "9fa577be-cf52-4f21-aa7f-770e7c1b81f3",
>         "name": "all-plinth-permissions",
>         "path": "/all-plinth-permissions",
>         "subGroups": []
>     },
>     {
>         "id": "5db60d20-3259-489c-8ac2-f684c3e7dd54",
>         "name": "self-management",
>         "path": "/self-management",
>         "subGroups": []
>     }
> ]
> 
> Anyone has any good idea as to where I should look next?
> 
> Regards,
> 
> Tiago
> 



More information about the keycloak-user mailing list