[keycloak-user] User roles deleted after SSO idle session expires

MEHDi CHAABOUNi mehdi.chaabouni at gmail.com
Wed Mar 20 11:52:58 EDT 2019


They are identity provider mappers.

We do see in the logs that groups being received from AD:

{
  "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
  "amr": "[\"pwd\",\"mfa\"]",
  "family_name": "Chaabouni",
  "given_name": "Mehdi",
  "ipaddr": "207.96.238.194",
  "name": "Mehdi Chaabouni",
  "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
  "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
  "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
  "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
  "unique_name": "mchaabouni at test.com",
  "upn": "mchaabouni at test.com",
  "uti": "ea2dC_nciUGsfUk4mr4SAQ",
  "ver": "1.0",
  "groups": [
    "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
  ]
}


The groups are mapped correctly the first time that the user is imported
into keycloak.


On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Your custom mappers are client mappers or identity provider mappers ? It
> does not make sense an empty list of mappers if you have defined mappers to
> your identity provider.
>
> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
> mehdi.chaabouni at gmail.com> wrote:
>
>> Hi,
>>
>> I'm using Azure Active Directory to authenticate users and I have setup
>> custom mappers to import roles (mapping groups from Active Directory to
>> Keycloak roles).
>> I'm pretty sure the scenario was not working before. There was a lot of
>> development on the front-end application so we didn't notice the problem
>> until we started using it.
>> When the problem occurs for a user, he's still logged in to the
>> application but all the features are disabled because he has no role (The
>> assigned roles section in keycloak is empty).
>>
>> The logs I sent yesterday mention:
>> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
>> task-1) Token will not be stored for identity provider [microsoft]
>>
>> which is logged in the method
>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>
>> Going through that method, I found this piece of code:
>>
>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>> if (mappers != null) {
>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>     for (IdentityProviderMapperModel mapper : mappers) {
>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>     }
>> }
>>
>> That's why I suspect that the mappers are not triggered.
>>
>> Thanks!
>>
>>
>>
>>
>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Are you using a broker to authenticate your users ? Your setup is not
>>> clear if that is the case, so I'm not sure if the method you pointed out is
>>> related.
>>>
>>> Can you confirm that this scenario was working before?
>>>
>>> By losing roles, you mean they are not within the access token?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>>
>>>
>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>> mehdi.chaabouni at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> This is our Keycloak setup:
>>>>
>>>>    - Keycloak docker container 4.4.0.Final
>>>>    - Azure Active Directory (mapping groups to roles)
>>>>    - Keycloak client protocol: openid-connect
>>>>    - 3 optional client scopes
>>>
>>>
>>>>
>>>>
>>>> We noticed lately that users using the front-end application (angular)
>>>> are
>>>> losing all roles after the SSO idle session expires.
>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>> It seems that the Identity Provider Mappers are not triggered for some
>>>> reason and I can't dig any deeper nothing much is logged in the method
>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>>
>>>> Any ideas?
>>>> How can I run Keycloak form source?
>>>>
>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>


More information about the keycloak-user mailing list