GithubHelp home page GithubHelp logo

Comments (3)

NikMashei avatar NikMashei commented on July 17, 2024 1

@toddas I use a different flow.

image

Although I can see the expected behaviour when users not in "test" group can not login, I do not like that I do not see in the debug logs the message I expect reading the source code. The message I expect in logs is:

image

But this is what I get: ( similar to yours )

23:35:55,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) action: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator SUCCESS: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) processFlow: test forms
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) execution 'auth-username-password-form' is processed
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'require-group', requirement: 'REQUIRED'
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator: require-group
23:35:55,792 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-27) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) invoke authenticator.authenticate: require-group
23:35:55,792 WARN  [org.keycloak.events] (default task-27) type=LOGIN_ERROR, realmId=master, clientId=debug, userId=null, ipAddress=192.168.254.1, error=rejected_by_user, auth_method=openid-connect, auth_type=code, redirect_uri=https://oidcdebugger.com/debug, code_id=9e745c63-f1c3-4231-8f7d-a31693431371, username=test, authSessionParentId=9e745c63-f1c3-4231-8f7d-a31693431371, authSessionTabId=MD3FhYI0KiE

And this is what I get when the user IS in the group:

23:37:23,627 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) action: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test forms
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) execution 'auth-username-password-form' is processed
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'require-group', requirement: 'REQUIRED'
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-30) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) invoke authenticator.authenticate: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) Flow 'test forms flow' successfully finished
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test

I am still debugging, but if anyone can lead me to the right place to understand this behaviour I would be glad.

I highly recommend you to 'override' behavior when user is not in group. It allows you to see auth error in your browser.

if (!isMemberOfGroup(realm, user, groupPath)) {

            String errorMessage = "Access denied because of missing group membership. realm=%s username=%s groupPath=%s";
            LOG.debugf(errorMessage, realm.getName(), user.getUsername(), groupPath);
            Response errorResponse = context.form()
                    .setError(errorMessage, null)
                    .createForm("error.ftl");
            context.failure(AuthenticationFlowError.INVALID_USER, errorResponse);
            return;
        }

from keycloak-extension-playground.

NikMashei avatar NikMashei commented on July 17, 2024

@toddas
Maybe your problem refers to this error in flow? Did you to try put 'Require Group' on different level?

from keycloak-extension-playground.

jsalatiel avatar jsalatiel commented on July 17, 2024

@toddas I use a different flow.

image

Although I can see the expected behaviour when users not in "test" group can not login, I do not like that I do not see in the debug logs the message I expect reading the source code. The message I expect in logs is:

image

But this is what I get: ( similar to yours )

23:35:55,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) action: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator SUCCESS: auth-username-password-form
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) processFlow: test forms
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:35:55,791 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) execution 'auth-username-password-form' is processed
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) check execution: 'require-group', requirement: 'REQUIRED'
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) authenticator: require-group
23:35:55,792 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-27) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:35:55,792 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-27) invoke authenticator.authenticate: require-group
23:35:55,792 WARN  [org.keycloak.events] (default task-27) type=LOGIN_ERROR, realmId=master, clientId=debug, userId=null, ipAddress=192.168.254.1, error=rejected_by_user, auth_method=openid-connect, auth_type=code, redirect_uri=https://oidcdebugger.com/debug, code_id=9e745c63-f1c3-4231-8f7d-a31693431371, username=test, authSessionParentId=9e745c63-f1c3-4231-8f7d-a31693431371, authSessionTabId=MD3FhYI0KiE

And this is what I get when the user IS in the group:

23:37:23,627 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) action: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: auth-username-password-form
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'test forms flow', requirement: 'ALTERNATIVE'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test forms
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
23:37:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) execution 'auth-username-password-form' is processed
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) check execution: 'require-group', requirement: 'REQUIRED'
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-30) Selections when trying execution 'require-group' : [ authSelection - require-group]
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) invoke authenticator.authenticate: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) authenticator SUCCESS: require-group
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) Flow 'test forms flow' successfully finished
23:37:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-30) processFlow: test

I am still debugging, but if anyone can lead me to the right place to understand this behaviour I would be glad.

from keycloak-extension-playground.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.