NikMashei
commented
3 years ago @toddas Maybe your problem refers to this error in flow? Did you to try put 'Require Group' on different level?
Open toddas opened 3 years ago
NikMashei
commented
3 years ago @toddas Maybe your problem refers to this error in flow? Did you to try put 'Require Group' on different level?
jsalatiel
commented
3 years ago @toddas I use a different flow.
Although I can see the expected behaviour when users not in "test" group can not login, I do not like that I do not see in the debug logs the message I expect reading the source code. The message I expect in logs is:
But this is what I get: ( similar to yours )
23:35:55,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) action: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator SUCCESS: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) processFlow: test forms
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) execution 'auth-username-password-form' is processed
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'require-group', requirement: 'REQUIRED'
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator: require-group
23:35:55,792 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-27) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) invoke authenticator.authenticate: require-group
23:35:55,792 WARN [org.keycloak.events] (default task-27) type=LOGIN_ERROR, realmId=master, clientId=debug, userId=null, ipAddress=192.168.254.1, error=rejected_by_user, auth_method=openid-connect, auth_type=code, redirect_uri=https://oidcdebugger.com/debug, code_id=9e745c63-f1c3-4231-8f7d-a31693431371, username=test, authSessionParentId=9e745c63-f1c3-4231-8f7d-a31693431371, authSessionTabId=MD3FhYI0KiEAnd this is what I get when the user IS in the group:
23:37:23,627 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) action: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test forms
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) execution 'auth-username-password-form' is processed
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'require-group', requirement: 'REQUIRED'
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-30) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) invoke authenticator.authenticate: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) Flow 'test forms flow' successfully finished
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: testI am still debugging, but if anyone can lead me to the right place to understand this behaviour I would be glad.
NikMashei
commented
3 years ago @toddas I use a different flow.
Although I can see the expected behaviour when users not in "test" group can not login, I do not like that I do not see in the debug logs the message I expect reading the source code. The message I expect in logs is:
But this is what I get: ( similar to yours )
23:35:55,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) action: auth-username-password-form 23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator SUCCESS: auth-username-password-form 23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'test forms flow', requirement: 'ALTERNATIVE' 23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) processFlow: test forms 23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'auth-username-password-form', requirement: 'REQUIRED' 23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) execution 'auth-username-password-form' is processed 23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'require-group', requirement: 'REQUIRED' 23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator: require-group 23:35:55,792 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-27) Selections when trying execution 'require-group' : [ authSelection - require-group] 23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) invoke authenticator.authenticate: require-group 23:35:55,792 WARN [org.keycloak.events] (default task-27) type=LOGIN_ERROR, realmId=master, clientId=debug, userId=null, ipAddress=192.168.254.1, error=rejected_by_user, auth_method=openid-connect, auth_type=code, redirect_uri=https://oidcdebugger.com/debug, code_id=9e745c63-f1c3-4231-8f7d-a31693431371, username=test, authSessionParentId=9e745c63-f1c3-4231-8f7d-a31693431371, authSessionTabId=MD3FhYI0KiEAnd this is what I get when the user IS in the group:
23:37:23,627 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) action: auth-username-password-form 23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: auth-username-password-form 23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'test forms flow', requirement: 'ALTERNATIVE' 23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test forms 23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'auth-username-password-form', requirement: 'REQUIRED' 23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) execution 'auth-username-password-form' is processed 23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'require-group', requirement: 'REQUIRED' 23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator: require-group 23:37:23,647 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-30) Selections when trying execution 'require-group' : [ authSelection - require-group] 23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) invoke authenticator.authenticate: require-group 23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: require-group 23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) Flow 'test forms flow' successfully finished 23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: testI am still debugging, but if anyone can lead me to the right place to understand this behaviour I would be glad.
I highly recommend you to 'override' behavior when user is not in group. It allows you to see auth error in your browser.
if (!isMemberOfGroup(realm, user, groupPath)) {
String errorMessage = "Access denied because of missing group membership. realm=%s username=%s groupPath=%s";
LOG.debugf(errorMessage, realm.getName(), user.getUsername(), groupPath);
Response errorResponse = context.form()
.setError(errorMessage, null)
.createForm("error.ftl");
context.failure(AuthenticationFlowError.INVALID_USER, errorResponse);
return;
}
Hi after I set up my required group it lets me log in without the group anyway. I am getting this warning WARN [org.keycloak.events] (default task-1163) type=LOGIN_ERROR, realmId=realmname, clientId=clientid, userId=null, ipAddress=localipadress, error=rejected_by_user, auth_method=saml, redirect_uri=realm/sso/auth/samlp, code_id=560cd383-5c91-497b-89e1-213516516, username=myusername, authSessionParentId=213213132-5c91-497b-89e1-4dfd11a0c332, authSessionTabId=1321321321
Please help I am using this flow:
Thank you in advance I am using 10.0.1 in standalone mode