[keycloak-user] keycloak 4.8.3 ReadOnlyException on new SAML client with ldap federation

Dmitry Telegin demetrio at carretti.pro
Wed May 8 17:33:47 EDT 2019


Hi Iain,

Seems that your client uses the so-called "persistent NameID policy",
which implies that for each new user Keycloak will generate and,
literally, persist a SAML-specific identifier called NameID. It's not
obvious, but this policy works with writable user stores only, since it
needs to persist the generated NameID (under the hood, Keycloak uses
custom user attribute named "saml.persistent.name.id.for.<client-id>").

You can overcome this by forcing a different NameID policy, like
username or email, in the client settings. However, you'll need to make
sure that your actual client (web application) is ok with that policy
and there is no lock-in for any particular NameID format.

In fact, the clients should neither rely on the presence of NameID nor
use it for long-term identification, see [1] section [SDP-SP13].

[1] https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

Good luck,
Dmitry Telegin
Opensource IAM consultant
https://www.linkedin.com/in/d-telegin

On Tue, 2019-05-07 at 16:28 -0400, Iain Steers wrote:
> Hey folks,
> 
> We upgraded to keycloak 4.8.3 fairly recently. We were on version 4.2.1.
> 
> All existing SAML and OAuth clients work as expected and there are no
> issues signing into them.
> 
> However, we just created a new SAML client and don't seem to be able to
> successfully complete the auth process. With the vague error message:
> “Unexpected error when handling authentication request to identity provider”
> Digging into the logs I found a stacktrace[1]. This occurs on login
> attempts with this new client.
> Our User Federation backend is a read-only ldap. Some searching of the
> jboss jira and web didn't find much related to this. Any help would be
> appreciated.
> 
> This is reproducible for us across two separate instances of keycloak
> backed by separate ldap backends.
> 
> Thanks,
> 
> Iain
> 
> [1]
> May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 DEBUG
> [org.keycloak.services.managers.AuthenticationManager] (default task-733)
> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/washington/
> May 07 20:01:05 keycloak-01 standalone.sh[947]: 20:01:05,600 WARN
> [org.keycloak.services] (default task-733) KC-SERVICES0013: Failed
> authentication: org.keycloak.storage.ReadOnlyException
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.ReadOnlyUserModelDelegate.setSingleAttribute(ReadOnlyUserModelDelegate.java:48)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.utils.UserModelDelegate.setSingleAttribute(UserModelDelegate.java:69)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.models.cache.infinispan.UserAdapter.setSingleAttribute(UserAdapter.java:137)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.getPersistentNameId(SamlProtocol.java:366)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.getNameId(SamlProtocol.java:324)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.protocol.saml.SamlProtocol.authenticated(SamlProtocol.java:380)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:790)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:742)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:876)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1008)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:878)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> sun.reflect.GeneratedMethodAccessor673.invoke(Unknown Source)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> java.lang.reflect.Method.invoke(Method.java:498)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> May 07 20:01:05 keycloak-01 standalone.sh[947]: at
> java.lang.Thread.run(Thread.java:748)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list