Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conflicting data returned for /users/id and /users endpoints when user is temporarily locked #11726

Closed
tsaarni opened this issue Apr 28, 2022 · 1 comment
Closed

Conflicting data returned for /users/id and /users endpoints when user is temporarily locked #11726

tsaarni opened this issue Apr 28, 2022 · 1 comment
Labels
area/admin/api kind/bug Categorizes a PR related to a bug
Milestone
21.0.0

Comments

@tsaarni
Copy link
Contributor

tsaarni commented Apr 28, 2022

Describe the bug

The endpoints /users/id and /users return different results for the enabled field for the same user when the user is temporarily locked.

Version

16.0.0, 15.0.1

Expected behavior

Both the endpoints should return the same data for the same user.

Actual behavior

The user details via the /users?username=user endpoint wrongly returns enabled: true

How to Reproduce?

  1. Enabled brute force detection
  2. Create user
  3. Repeatedly login with user with wrong password till it gets locked

Get the user details via the /users?username=user endpoint. Wrongly returns enabled: true

$ curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"     $KC_URL/auth/admin/realms/master/users?username=user

[
  {
    "id": "21daeda5-86bc-406d-a687-fa4231bc6b54",
    "createdTimestamp": 1631277330288,
    "username": "user",
    "enabled": true,
    "totp": false,
    "emailVerified": false,
    "disableableCredentialTypes": [],
    "requiredActions": [],
    "notBefore": 0,
    "access": {
      "manageGroupMembership": true,
      "view": true,
      "mapRoles": true,
      "impersonate": true,
      "manage": true
    }
  }
]

Get the user details via the /users/id endpoint. Correctly returns enabled: false

$ curl -k -X GET -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"     $KC_URL/auth/admin/realms/master/users/21daeda5-86bc-406d-a687-fa4231bc6b54

{
  "id": "21daeda5-86bc-406d-a687-fa4231bc6b54",
  "createdTimestamp": 1631277330288,
  "username": "user",
  "enabled": false,
  "totp": false,
  "emailVerified": false,
  "disableableCredentialTypes": [],
  "requiredActions": [],
  "notBefore": 0,
  "access": {
    "manageGroupMembership": true,
    "view": true,
    "mapRoles": true,
    "impersonate": true,
    "manage": true
  }
}

Anything else?

This issue was migrated from https://issues.redhat.com/browse/KEYCLOAK-19273. It was originally created 2021/09/10 by @bhorkarg.
@tsaarni tsaarni added kind/bug Categorizes a PR related to a bug status/triage labels Apr 28, 2022
@tsaarni tsaarni mentioned this issue Apr 28, 2022
Closed
@tsaarni
Copy link
Contributor Author

tsaarni commented Dec 16, 2022

Closing as not planned.
#8432 (comment)

@tsaarni tsaarni closed this as completed Dec 16, 2022
@ghost ghost removed the status/triage label Dec 16, 2022
@stianst stianst added this to the 21.0.0 milestone Feb 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/admin/api kind/bug Categorizes a PR related to a bug
Projects
None yet
Milestone
21.0.0
Development

Successfully merging a pull request may close this issue.

KEYCLOAK-19273 Return correct status when user is disabled temporarily Nordix/keycloak
2 participants
@tsaarni @stianst