Username lookup fails with hash (#) symbols (using the User Storage SPI)

[barthelch]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

storage

Describe the bug

Environment: Keycloak v20.0.1 [0], Debian 11, openjdk 17.0.4
Settings: `keycloak' Theme (the old theme and not the keycloak v2 one)

Problem description: We are currently working on a Custom User Storage Provider (following this description [1]). During development, we noticed an unexpected behavior concerning some usernames.

The username consists of two parts separated by an # symbol. Example: first12#second34.

Version

20.0.1

Expected behavior

I would expect a successful (admin-) lookup for usernames with # symbols (example: first12#second34).

Actual behavior

It is possible to successfully log in with usernames containing a # symbol but the username is not found within the admin lookup interface.
(found at Keycloak > Users > Search for `first12#second34' > click on the ID column).

See the keycloak2.png image with the Resource not found error page below.

How to Reproduce?

1. create and build the custom user provider, add it to the ~/providers directory within the keycloak installation
2. Run keycloak: bin/kc.sh build && bin/kc.sh start-dev
3. Create a realm and add the custom provider to the keycloak instance
4. Search for the username first12#second34
5. Click on the ID field with the URL: http://127.0.0.1:8080/admin/master/console/#/realms/test/users/f:123..$KeycloakID..:first12#second34
   (image keycloak1.png)
6. This will open a Resource not found page with the. URL: http://127.0.0.1:8080/admin/master/console/#/notfound#second34
   (image keycloak2.png)

The logging output of the attached user SPI:

2022-12-12 13:14:44,139 INFO  [com.foobar.dbuserprovider.DBUserStorageProvider]  Constructor
2022-12-12 13:14:44,139 INFO  [com.foobar.dbuserprovider.DBUserStorageProvider]  getUserByUsername():  username=first12, exteranlId=first12
2022-12-12 13:14:44,140 INFO  [com.foobar.dbuserprovider.DBUserStorageProvider]  close()

Anything else?

Questions:

• Regarding the output of the custom SPI: It looks like that getUserByUsername() method only receives the first part of the
  compound username (first12). Therefore, the lookup fails because no such user exists.
  Why is keycloak not sending the entire username to the getUserByUsername() method?
• Is the hash symbol interpreted as HTML anchor symbol? (see also keycloak2.png, the second part is appended to the URL)
  Do I have to ``escape'' it somehow at some point in time?
  (When and where?)
• When I am using the Keycloak v2 Theme and try to search for the
  first12#second34 user, I get this error message:

  Danger alert:Cannot include a '#' character in a manually specified `to.pathname` field [{"pathname":"/test/users/f:48d8b6cd-71d7-4bf4-8a5c-d18cdf31e482:first12#second34/settings"}]. Please separate it out to the `to.hash` field. Alternatively you may provide the full path as a string in <Link to="..."> and the router will parse it for you.

I am not sure where I can find further information about the to.hash field?
Is it something I can control within my Java extension?

Attachments: I have attached a minimal example (a Custom User Storage provider with a single username first12#second34, see DBUserStorageProvider.java and DBUserStorageProviderFactory.java) and two images showing the lookup list and the error message.

User Lookup Overview: (keycloak1.png)

Error message when clicking on the ID URL: (keycloak2.png)

DBUserStorageProvider.java.txt
DBUserStorageProviderFactory.java.txt

[0] https://github.com/keycloak/keycloak/releases/download/20.0.1/keycloak-20.0.1.tar.gz
[1] https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi

[hmlnarik]

This seems an issue in UI.
@ssilvert @edewit @jonkoops Could you please check?

[edewit]

@barthelch why is the username in the url? That doesn't happen on my instance

[edewit]

the hash is a an anchor that we use for routing to the right view

[jonkoops]

Note that this in the old UI, which we no longer provide bugfixes and new features unless absolutely critical. I this behavior also reproducible in the new theme?

[barthelch]

Note that this in the old UI, which we no longer provide bugfixes and new features unless absolutely critical. I this behavior also reproducible in the new theme?

@jonkoops Thanks for your reply.

When I am trying to use the new UI (keycloak v2 Theme), I get this error message:

Cannot include a '#' character in a manually specified `to.pathname` field [{"pathname":"/test/users/f:48d8b6cd-71d7-4bf4-8a5c-d18cdf31e482:first12#second34/settings"}]. Please separate it out to the `to.hash` field. Alternatively you may provide the full path as a string in <Link to="..."> and the router will parse it for you.

The error message appears when I am searching for the user first12#second34

This is how it looks like:

[barthelch]

@barthelch why is the username in the url? That doesn't happen on my instance

@edewit Thanks for your reply.

I don't know why this happens (this is the reason why I created this issue). Since you are saying that it works on your instance:

• How did you create the user?

• Have you used the DBUserStorageProvider*.java files I uploaded?

• Or did you use your implementation? If that is the case, would it be possible to show me the Java code so I can compare it with my implementation?

• Can I provide additional information about the issue I explained above?

[edewit]

ahh sorry didn't see that you included the code. So I tried it with your code and it is what I initially thought, the user id contains a hash # and because we use a hash to do the routing, the link can't be created. So either you url encode the id in your provider or don't put the username in the id: (f:ef941914-9308-41ca-b9d0-ad1ad8982225:first12#second34).

You do this on line 125 of your code this.keycloakId = StorageId.keycloakId(model, username);

[barthelch]

ahh sorry didn't see that you included the code. So I tried it with your code and it is what I initially thought, the user id contains a hash # and because we use a hash to do the routing, the link can't be created. So either you url encode the id in your provider or don't put the username in the id: (f:ef941914-9308-41ca-b9d0-ad1ad8982225:first12#second34).

You do this on line 125 of your code this.keycloakId = StorageId.keycloakId(model, username);

Ok, I was uncertain whether it is possible to change the username at this point and what else is affected when doing so. Thanks @edewit, that seems to solve my issue.

[EugeneGoroschenya]

I doubt that encoding in provider is proper fix for this issue.

The problem was probably introduced by f32d3f5 (Upgrade to React Router v6).
See remix-run/react-router#7428.

I hope the issue was fixed properly by #23667 in scope of #22600.