User session count limiter : Null pointer exception

[christopheblin]

Describe the bug

After I activate the "new" user session limits, it is impossible to connect to keycloak

Version

18.0

Expected behavior

Should work :)

Actual behavior

I've made a video because it is hard to explain better than seeing the bug :)

Enregistrement.de.l.ecran.2022-05-16.a.13.mp4

The full exception

keycloak_1  | 2022-05-16 11:35:31,823 WARN  [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-24) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector, null]
keycloak_1  | 2022-05-16 11:35:31,823 WARN  [org.keycloak.services] (executor-thread-24) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
keycloak_1  |   at org.keycloak.authentication.authenticators.sessionlimits.UserSessionLimitsAuthenticator.authenticate(UserSessionLimitsAuthenticator.java:44)
keycloak_1  |   at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:460)
keycloak_1  |   at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:264)
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1030)
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
keycloak_1  |   at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:338)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:194)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:112)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
keycloak_1  |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak_1  |   at java.base/java.lang.reflect.Method.invoke(Method.java:566)
keycloak_1  |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
keycloak_1  |   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
keycloak_1  |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
keycloak_1  |   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
keycloak_1  |   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
keycloak_1  |   at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
keycloak_1  |   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
keycloak_1  |   at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
keycloak_1  |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
keycloak_1  |   at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
keycloak_1  |   at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
keycloak_1  |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
keycloak_1  |   at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
keycloak_1  |   at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
keycloak_1  |   at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
keycloak_1  |   at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
keycloak_1  |   at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
keycloak_1  |   at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
keycloak_1  |   at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
keycloak_1  |   at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
keycloak_1  |   at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
keycloak_1  |   at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
keycloak_1  |   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
keycloak_1  |   at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
keycloak_1  |   at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
keycloak_1  |   at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
keycloak_1  |   at java.base/java.lang.Thread.run(Thread.java:829)

How to Reproduce?

I'm using docker-compose with a postgres and a rabbitmq, but I think you can reproduce the bug simply by activating the "User session count limiter" on a Browser flow

Anything else?

[christopheblin]

I've been navigating to source code UserSessionLimitsAuthenticator.java:44 and seen that

Map<String, String> config = authenticatorConfig.getConfig();

So I also tested with an associated config, the exception is different but the end result is the same

Here is the video :

Enregistrement.de.l.ecran.2022-05-16.a.13.1.mp4

keycloak_1  | 2022-05-16 11:55:26,546 WARN  [org.keycloak.events] (executor-thread-4) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=172.21.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=http://localhost:9000/auth/admin/master/console/#/realms/master/authentication/flows/Browser%20Maasify, code_id=744accd7-d0e1-4190-9b4d-2557871a3530, response_mode=fragment, authSessionParentId=744accd7-d0e1-4190-9b4d-2557871a3530, authSessionTabId=FCA-t3wVC_A

keycloak_1  | 2022-05-16 11:55:26,442 WARN  [org.keycloak.services] (executor-thread-4) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1038)
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
keycloak_1  |   at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:338)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:194)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:112)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
keycloak_1  |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
keycloak_1  |   at java.base/java.lang.reflect.Method.invoke(Method.java:566)

[christopheblin]

Finally, if I activate debug log lovel, I can see something very very strange because the user-sesion-limits seems to be working (I can see "authenticator SUCCESS: user-session-limits") BUT the authentication still does not work (and I cannot find a way to do anything except deleting the docker container to move on)

keycloak_1  | 2022-05-16 12:08:40,829 WARN  [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [auth-cookie, identity-provider-redirector, null]
keycloak_1  | 2022-05-16 12:08:40,829 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) check execution: 'user-session-limits', requirement: 'REQUIRED'
keycloak_1  | 2022-05-16 12:08:40,829 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator: user-session-limits
keycloak_1  | 2022-05-16 12:08:40,829 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-6) Selections when trying execution 'user-session-limits' : [ authSelection - user-session-limits]
keycloak_1  | 2022-05-16 12:08:40,829 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) invoke authenticator.authenticate: user-session-limits
keycloak_1  | 2022-05-16 12:08:40,829 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) authenticator SUCCESS: user-session-limits
keycloak_1  | 2022-05-16 12:08:40,830 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-6) Authentication successful of the top flow 'Browser Maasify'
keycloak_1  | 2022-05-16 12:08:40,834 WARN  [org.keycloak.services] (executor-thread-6) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1038)
keycloak_1  |   at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
keycloak_1  |   at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:151)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:338)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:194)
keycloak_1  |   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:112)
keycloak_1  |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[christopheblin]

Is there someone looking at this problem (at least, confirming the problem) ? Should I provide something else ?

[Jacob-]

Hi, I have been experiencing the same behaviour.

[christopheblin]

@Jacob- if by any chance you find something that works, please keep me in touch here :)

[mposolda]

@christopheblin Thanks for the report, but I am closing for now as it is incorrect configuration of the flow. Please see the docs how is the "User Session Limits" flow supposed to be configured https://www.keycloak.org/docs/latest/server_admin/index.html#_user_session_limits .