New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Localization GET endpoints of sub realms causes HTTP 500 unknown error when using a token issued by master realm #10656
Labels
Milestone
Comments
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Mar 9, 2022
…led using tokens issued by the master realm.
PR: #10660 |
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Jun 8, 2022
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Jun 10, 2022
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Jun 13, 2022
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Jul 4, 2022
…led using tokens issued by the master realm.
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Jul 4, 2022
stianst
pushed a commit
that referenced
this issue
Aug 25, 2022
leischt
added a commit
to bosch-io/keycloak
that referenced
this issue
Aug 25, 2022
sschu
pushed a commit
to bosch-io/keycloak
that referenced
this issue
Sep 5, 2022
sschu
pushed a commit
to bosch-io/keycloak
that referenced
this issue
Sep 5, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The during following code
AdminPermissions.realms(session, auth.adminAuth()).isAdmin()
the user’s session is searched at the sub realm, even if the user has a token issued by the master realm. So, the user session could not be found and a NPE is thrown.
Version
15.0.2, 18-SNAPSHOT
Expected behavior
Localization GET endpoints should also be accessible with a token issued by the master realm.
Actual behavior
returns status 500 with error message "unknown error"
How to Reproduce?
Important: Don't use the clients security-admin-console or admin-cli to reproduce the issue. Because the Admin API does not check the token content for these clients (it checks the actual user roles) - the bug does not occur in this case.
Get an access token for a user at the master realm with the role “manage-users”. Then call, with the provided access token, the following endpoints:
Anything else?
Relates to KEYCLOAK-17387 (PR 7940)
Proposed solution:
Change the role check to
auth.requireAnyAdminRole();
which does a similar role check, but searches the user’s session at the right realm. And also this is better readable imo 😊.
The text was updated successfully, but these errors were encountered: