When retrieving user by ID request just exact match

[cogniware]

Camunda Keycloak Identity Provider Pull Request

When retrieving user by ID request just exact match, otherwise user might not be able to login when many similar usernames exists.

Description

Otherwise when there are over 100 results that does not match exactly, login to web UI with NPE. For example you are trying to login as user with username tester. But in the Keycloak, there are users such as tester1, tester2, stester1 and so on. Once the number of those users is large enough, you would not be able to login. This is because when retrieving list of users from Keycloak it is doing "fulltext search" on usernames and the user you are logging in with might not be in the results. Keycloak returns first 100 results but those are not sorted by the best match. configuration value maxResultSize is not used for such calls. Since we need to retrieve just one exact user we should use a parameter of Keycloak REST API that requests only the user that returns exactly matching username.

Testing your changes

Having a deployment with many users with just a number suffix, we were not able to login to the Camunda web UI. Once deployed local build of proposed change, user were able to log in and list groups that user is a member of.

Types of changes

• [x] Bug fix (non-breaking change which fixes an existing open issue)
• [ ] New feature (non-breaking change which adds functionality to an extension)
• [ ] Breaking change (fix or feature that would cause existing functionality of an extension to change)
• [ ] Documentation update (changes made to an existing piece of documentation)

Checklist:

• [x] My code adheres to the syntax used by this extension.
• [ ] My pull request requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [x] I have read the Camunda Community Hub documentation
• [x] I have read the Pull Request Process documentation
• [ ] I have added or suggested tests to cover my changes suggested in this pull request.
• [ ] All new and existing CI/CD tests passed.
• [ ] I will /assign myself this issue, and add the relevant [issue labels] to it if they are not automatically generated by Probot.
• [x] I will tag @celanthe in a new comment on this issue if 30 days have passed since my pull request was opened and I have not received a response from the extension's Maintainer

[CLAassistant]

All committers have signed the CLA.

[VonDerBeck]

Hi @cogniware, thanks for your input and your PR which is very much appreciated. I will have a look at your PR in the next weeks. Can you give me a hint on your general settings of the Keycloak Identity Provider (e.g. have you set one the parameters useEmailAsCamundaUserId or useUsernameAsCamundaUserId etc.)? That would help a lot. Thanks Gunnar

[cogniware]

Hi Gunnar, thanks for taking a look. Yes, we are using useUsernameAsCamundaUserId, more specifically, here is entire part of configuration with some values intentionally replaced with placeholders:

    <plugin>
        <class>org.camunda.bpm.extension.keycloak.plugin.KeycloakIdentityProviderPlugin</class>
        <properties>
            <property name="keycloakIssuerUrl">https://HOSTorIP:28443/realms/master</property>
            <property name="keycloakAdminUrl">https://HOSTorIP:8443/admin/realms/master</property>
            <property name="clientId">clientId</property>
            <property name="clientSecret">clientSecret</property>
            <property name="useUsernameAsCamundaUserId">true</property>
            <property name="useGroupPathAsCamundaGroupId">true</property>
            <property name="disableSSLCertificateValidation">true</property>
            <property name="administratorGroupName">admin</property>
        </properties>
    </plugin>

If there is anything more that might help, please let me know.

[VonDerBeck]

Thanks for your input 👍

[VonDerBeck]

See Version 7.21.2

[dbenesj]

Is there something else that needs to be done to publish the 7.21.2 version also to maven repository?

[VonDerBeck]

@dbenesj: You're right, it hasn't shown up. Thanks for the info. There have been some changes in the community hub parent especially in the area of publishing releases to nexus... I will try to dig into it - and if necessary get help from Camunda.

[VonDerBeck]

As a quick workaround for you 7.21.2 is available in Camunda's Artifactory.

[VonDerBeck]

The release has clearly been uploaded to Nexus - and within the deploy action I have set maven-auto-release-after-close: true which is responsible for automatically moving the artifacts from staging area to prod without manual interaction. So I have to ask Camunda if there are any problems.

[VonDerBeck]

You can now use 7.21.5 which is available on Maven Central, see https://central.sonatype.com/search?q=%2Fcamunda-platform-7-keycloak

[dbenesj]

Thank you very much, we have successfully used the artifact from the Maven Central.