Admin user/password from environment variables is broken

[Brezensalzer]

Describe the bug

Version 17.0.0 Quarkus
Plattform: OpenShift 4.x
Database: Postgresql (EDB) 12.x

When deploying keycloak in OpenShift, the admin user/password - as specified by KEYCLOAK_ADMIN/KEYCLOAK_ADMIN_PASSWORD environment variables - is saved with an additional character in the database. A login on the security console is not possible. The log says unknown user.

E.g. when using admin/admin, a check in the database gives no result:
select * from users_entity where username='admin'
But
select * from users_entity where username like 'admin%' gives a result.

Version

17.0.0

Expected behavior

login with admin_user/password is possible

Actual behavior

login is not possible, "unknown user"

How to Reproduce?

Deploy keycloak 17.0.0 in OpenShift or Kubernetes and set KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD to initial values.

Anything else?

No problems at all with 17.0.0-legacy.

[Brezensalzer]

Additional infos:

• I have deployed keycloak-17.0.0-legacy with admin user/password
• I've deleted the keycloak deployment but not the database
• I deployed keycloak-17.0.0 (quarkus) with the existing database
• During startup there is the log message "user admin already exisits"
• I can login to the security-console

So while checking if the user exists, there seems to be no additional character at the username "admin".

Hope this helps.

[DGuhr]

that's really weird. i've just overhauled the openshift quickstart and deploying the yaml to CRC (OpenShift 4.7) worked like a charm. also logging in with the credentials set by env vars, for sure. Also @andreaTP and @vmuzikar are using minikube for the operator tests afaik and it works there. So my best guess is this has sth to do with the local environment of yours, but not sure without more info. Would be great if you could show us e.g. configuration / yaml / or more general give us steps to reproduce this. thank you.

[andreaTP]

Hi @Brezensalzer ,

I have just developed integration tests on this subject, you can have a look on those here: #10661

The KEYCLOAK_ADMIN/KEYCLOAK_ADMIN_PASSWORD feature works as follows:

• if an admin user has been already created everything those env vars are ignored
• if an admin doesn't exists it will be created with the exact string injected in the environment variables

The only additional question I have is about special characters, given e.g. #9519 you might need to properly escape special characters.
Can you, you, please double-check that using plain alphanumeric characters works as expected in your environment?

[Brezensalzer]

Thank You for your answers!
I'm at home now (Corona...) and will have a deeper look next week.

@andreaTP
I have tested it with a trivial username/password combination, so there are no special characters included.

[andreaTP]

@Brezensalzer have a quick recovery!

In this case everything should work and is tested in CI, if it doesn't, we should find the missing invariant.
Let me know when you are able to get back on this, thanks!

[Brezensalzer]

Mystery solved...

It depends on how the secret (base64 string) for OpenShift is created on the Linux shell:

$ echo 'admin' |base64
YWRtaW4K

The base64 string does contain a '\n' which was inserted by the echo command!

$ echo -n 'admin' |base64
YWRtaW4=

The echo Option "-n" does omit the '\n', the base64 string is now correct.
You won't see any difference in the OpenShift WebGUI...

• So keycloak/wildfly obviously does some sanity checks on the environment variables, truncates trailing "\n" characters and works.
• keycloak/quarkus does not.

This different behavior is not a bug, but it should be documented to warn others about this nasty pitfall...

[andreaTP]

Thanks for the detailed explanation @Brezensalzer !

I do consider "preserving the \n" the most correct behaviour, are you following any guide we should update to avoid this pitfall?

[Brezensalzer]

@andreaTP
the documentation for keycloak/quarkus and kubernetes is rather sparse, I've found hints all over the web.
The closest would be https://www.keycloak.org/server/containers

"correct behavior" ... almost a philosophical question ;-)
Environment variables in Linux should never ever contain special characters in the first place.

[andreaTP]

@Brezensalzer do you agree in closing this issue?

[Brezensalzer]

Yes, of course. We can close this issue.
Thank you for your support!