search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
22.78k stars 6.68k forks source link

"Condition - user role" doesn't work correctly in a clean browser #32526

Open paxlo opened 1 month ago

paxlo commented 1 month ago

Before reporting an issue

Area

core

Describe the bug

There is the following authentication flow for a SAML client (for SonarQube in my example). The idea for the flow was taken from here and works correctly, but only in a browser containing corporate cookies. flow

The client:

{
  "clientId": "sonarqube",
  "name": "SonarQube",
  "description": "",
  "rootUrl": "https://sonarqube.somedomain.internal",
  "adminUrl": "https://sonarqube.somedomain.internal/oauth2/callback/saml",
  "baseUrl": "/",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "somesecret",
  "redirectUris": [
    "https://sonarqube.somedomain.internal/oauth2/callback/saml"
  ],
  "webOrigins": [
    "https://sonarqube.somedomain.internal"
  ],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": false,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "saml",
  "attributes": {
    "saml.assertion.signature": "true",
    "client.secret.creation.time": "1725017789",
    "saml.force.post.binding": "true",
    "saml.encrypt": "false",
    "saml_assertion_consumer_url_post": "https://sonarqube.somedomain.internal/oauth2/callback/saml",
    "saml.server.signature": "false",
    "saml.artifact.binding.identifier": "SOMEBINDINGEDIENTIFIER",
    "saml.signature.algorithm": "RSA_SHA256",
    "saml_force_name_id_format": "false",
    "saml.client.signature": "false",
    "saml.authnstatement": "true",
    "saml_name_id_format": "username",
    "saml.allow.ecp.flow": "false",
    "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "KEY_ID",
    "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#"
  },
  "authenticationFlowBindingOverrides": {
    "browser": "3a87b12a-820e-4a61-8cd7-29823f46a9d9"
  },
  "fullScopeAllowed": false,
  "nodeReRegistrationTimeout": -1,
  "protocolMappers": [
    {
      "name": "Email",
      "protocol": "saml",
      "protocolMapper": "saml-user-property-mapper",
      "consentRequired": false,
      "config": {
        "attribute.nameformat": "Basic",
        "user.attribute": "Email",
        "attribute.name": "email"
      }
    },
    {
      "name": "Groups",
      "protocol": "saml",
      "protocolMapper": "saml-role-list-mapper",
      "consentRequired": false,
      "config": {
        "single": "true",
        "attribute.nameformat": "Basic",
        "attribute.name": "groups"
      }
    },
    {
      "name": "Login",
      "protocol": "saml",
      "protocolMapper": "saml-user-property-mapper",
      "consentRequired": false,
      "config": {
        "attribute.nameformat": "Basic",
        "user.attribute": "Username",
        "attribute.name": "login"
      }
    },
    {
      "name": "Name",
      "protocol": "saml",
      "protocolMapper": "saml-user-property-mapper",
      "consentRequired": false,
      "config": {
        "attribute.nameformat": "Basic",
        "user.attribute": "Username",
        "attribute.name": "name"
      }
    }
  ],
  "defaultClientScopes": [],
  "optionalClientScopes": [],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

If I use any other browser without any cookies, I can login to sonarqube once (even if my user not in sonar-users group!) going through the authentication process of the corporate account. After logging out of SQ I can no longer login as expected behavior.

Version

25.0.2

Regression

Expected behavior

A user who is not a member of a group should not be allowed to login from a clean browser

Actual behavior

A user who is not a member of the group can access the service from a clean browser once (until logout).

How to Reproduce?

  1. Remove a user from a group
  2. Ensure that the user cannot login to the service via SAML through a browser containing a cookie with error. The expected correct flow behaviour is to get a ‘User role is required’ error.
  3. Open another browser without any cookies.
  4. Open service URL -> login via SAML -> being forwarded to corporate authentication process and login to corporate account -> forwarded to the service and being succesfully logged in

Anything else?

No response

rmartinc commented 2 days ago

Hi @paxlo!

I cannot reproduce it. I have configured your flow in keycloak 26 (but without the Identity Provider Redirector) and it works OK for me. It works the first time (when doing the login using username and password) and in subsequent tries. Obviously I have not tested with sonarqube but with the keycloak account console and a local java saml application. I have tested with a browser in incognito mode so it was clean at the beginning. Besides I don't know what you mean with corporate cookies.

You can show more information of the flow execution adding trace to the authentication category --log-level INFO,org.keycloak.authentication:TRACE. We need more information to manage this issue.

keycloak-github-bot[bot] commented 2 days ago

Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.

Please provide additional details, otherwise this issue will be automatically closed within 14 days.