kbss-cvut / 19msmt-distribution

MSMT Reliability Management System
GNU General Public License v3.0
0 stars 0 forks source link

Keycloak silently ignores partial defined user #51

Open kostobog opened 11 months ago

kostobog commented 11 months ago

When we underspecify the user in keycloak administration ui, i.e. the user has not specified first name, last name and email address, the user is successfully saved in internal keycloak database. However, it is not saved in graphdb server.

Thus we are not able to login in record manager and we have no way to find out why. There is no warning message in keycloak administration ui and no warning log in keycloak server. And since the user is not saved in graphdb there is also not any unusual error in record manager server.

Note that within keycloak administration ui the first name, last name and email address are optional fields, see screenshot below.

Image

The best solution for this issue would be to show error message in keycloak administration ui when saving user without those fields.

kostobog commented 11 months ago

@ledsoft

ledsoft commented 11 months ago

Currently, the user data replicator SPI is just an event listener, it has no influence on the user creation process. This would require either rewriting the SPI, changing Keycloak user profile theme to require first name and last name or modifying the target application to not require these fields. It depends on how critical this issue is and which solution would be the most efficient to implement.

ledsoft commented 11 months ago

FYI, updated the user data replicator to handle missing first name and last name so that the user account metadata that are available (username) are replicated in the repository. General handling of optional first name and last name should be iMHO done by the application (do not require them as well) or by Keycloak (require them).