search

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
389 stars 66 forks source link

Organization members include service account records #40

Closed splatch closed 1 year ago

splatch commented 1 year ago

Detected with 19.0.2 version with PostgreSQL. I am not aware of specific logic in membership associations, but I found that calling phase two client returns extra membership entries which do not belong to organization: 

List<UserRepresentation> members = client.getOrganizationMembershipsApi().getOrganizationMemberships(
  realm, orgId, 0, 200
);

I first thought that it was mistake in calculated URI, but after enabling logging I found that it is fine:

jaxrs.LoggingInterceptor (LoggingInterceptor.java:22) - Request 97654a55-0645-4e7f-88d4-2e4d7891d146, GET http://keycloak:8080/auth/realms/test/orgs/3c2cb198-a597-4238-b31a-db3bccb4c421/members?first=0&max=200

The above code gives me a user record which represents service account of an client. I traced it down to server code which, for some reason, includes service account. By looking at database entities I haven't found a clear reason why it would happen. Note that there was issue #32 which noted use of admin-cli which uses service accounts, but it was closed as resolved. I think it could be subject of similar issue where removal of organization could lead to removal of service account which results in re-creation of user record representing service account by Keycloak itself. Difference is, newly created user will loose all roles it had assigned before.

xgp commented 1 year ago

Yes, the method to get organization members currently returns organization service accounts. Is this an issue for you?

I think it could be subject of similar issue where removal of organization could lead to removal of service account which results in re-creation of user record representing service account by Keycloak itself. Difference is, newly created user will loose all roles it had assigned before.

This point doesn't make sense to me. How would this happen?

splatch commented 1 year ago

For me it returns service account which is created during realm import, before any organization could even be created. Client itself is also created during realm import and have nothing to do with any of organizations registered in system.

xgp commented 1 year ago

I see. This extension doesn't support realm import/export. We haven't figured out how to hook into the Keycloak import/export process, so the tree of organization information is lost in a realm export. However, because the organization service account is a real user, that gets exported.

splatch commented 1 year ago

I kind of understand implications on import/export. Reason why I was completely surprised is fact that membership resource returns extra entries, beyond ones which are expected to come from database entries (organizations membership). There is no relation between service account and organization, how it is possible that it is considered to be a member of an org?

xgp commented 1 year ago

It is returning members for which there is no ORGANIZATION_MEMBER record in the DB? If so, can you post your full request and a select * from your ORGANIZATION AND ORGANIZATION_MEMBER tables?

xgp commented 1 year ago

Closing pending detail to recreate the bug. Please reopen with comprehensive information about how to reproduce.

splatch commented 1 year ago

Sorry for not bringing additional information. I'll try to make a reproducer in isolated environment and re-open issue if needed. From database point of view I was able to confirm that SQL queries and materialized Hibernate entities were in line with membership, but API answer was not.