search

Nerzal / gocloak

golang keycloak client
Apache License 2.0
1.03k stars 283 forks source link

could not get users: invalid character '{' after top-level value #295

Closed deadlysyn closed 3 years ago

deadlysyn commented 3 years ago

Describe the bug

Not sure if this is a bug or local stupidity. Below code worked in older Keycloak version, recently upgraded to 13.x and it broke... trying to GetUsers errors with invalid character '{' after top-level value.

To Reproduce

func getKeycloakClient(ctx context.Context) *keycloakClient {
    host := viper.GetString("keycloak.url")
    realm := viper.GetString("keycloak.realm")
    clientID := viper.GetString("keycloak.client")
    clientSecret := creds["KEYCLOAK_CLIENT_SECRET"]

    client := keycloak.NewClient(host)

    token, err := client.LoginClient(ctx, clientID, clientSecret, realm)
    if err != nil {
        log.Fatalf("ERROR: %v", err.Error())
    }

    // return realm, client, token.AccessToken
    return &keycloakClient{
        Client: client,
        Realm:  realm,
        Token:  token.AccessToken,
    }
}

func getKeycloakUser(ctx context.Context, email string) []*keycloak.User {
    kc := getKeycloakClient(ctx)

    p := keycloak.GetUsersParams{
        Email: keycloak.StringP(email),
    }

    users, err := kc.Client.GetUsers(ctx, kc.Token, kc.Realm, p) // this call fails
    if err != nil {
        log.Fatalf("ERROR: %v", err.Error())
    }

    return users
}

Expected behavior

nil error and returned user slice

deadlysyn commented 3 years ago

this was some sort of boundary condition. had users in LDAP backend w/ duplicate email. removing one of the users and resyncing fixed it, but might be worth looking into. if my experiments turn up anything interesting i'll share findings.

deadlysyn commented 3 years ago

ran into this a few more times. i think it can be closed here, since it seems to be upstream in keycloak itself. some times doing a search based on email will return stuff like:

ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-888) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can't import user 'foo.bar' from LDAP because email 'foo.bar@baz.com' already exists in Keycloak. Existing user with this email is 'foo.bar@baz.com.com'

so it is still a boundary condition (dupe email), but seems Keycloak could do better than throwing an uncaught exception...not gocloak's issue to solve.

for anyone else getting similar errors -- interestingly, i found i can work around it by simply searching by username vs email...i suppose because email is the primary import key in this case.

Nerzal commented 3 years ago

Thanks for investigating! :)