Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null #28100

Closed
2 tasks done
fjf2002 opened this issue Mar 20, 2024 · 7 comments · Fixed by #28212
Closed
2 tasks done

Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null #28100

fjf2002 opened this issue Mar 20, 2024 · 7 comments · Fixed by #28212
Assignees
@pedroigor
Labels
area/identity-brokering kind/bug Categorizes a PR related to a bug kind/regression priority/blocker Highest Priority. Has a deadline and it blocks other tasks release/24.0.3 release/25.0.0 team/core-iam
Milestone
25.0.0

Comments

@fjf2002
Copy link
Contributor

fjf2002 commented Mar 20, 2024
edited by pedroigor

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

identity-brokering, ldap

Describe the bug

I'm using Keycloak v24.0.1 with both

  • another keycloak server as an identity provider (let's call that "foo")
  • an LDAP User federation (with Kerberos SSO).

I had tested both separately and it worked. But when BOTH are enabled, the following occurs, see the descriptions in the sections below.

As soon as I disable the LDAP user federation, it will work.

I should add, the LDAP user federation is configured as follows:

  • Edit mode: UNSYNCED
  • Import Users: On
  • Sync Registrations: Off

Version

24.0.1

Regression

  • The issue is a regression

Expected behavior

Successful login with the "foo" keycloak IDP

Actual behavior

After the steps described in "How to Reproduce", the GUI shows "An Error occurred", and the log shows:

2024-03-20 15:37:29,305 WARN  [org.keycloak.services] (executor-thread-10) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null
	at org.keycloak.models.utils.UserModelDelegate.getFederationLink(UserModelDelegate.java:195)
	at org.keycloak.storage.ldap.LDAPStorageProvider.lambda$decorateUserProfile$23(LDAPStorageProvider.java:1115)
	at org.keycloak.userprofile.AttributeMetadata.isSelected(AttributeMetadata.java:132)
	at org.keycloak.userprofile.DefaultAttributes.configureMetadata(DefaultAttributes.java:332)
	at org.keycloak.userprofile.DefaultAttributes.<init>(DefaultAttributes.java:87)
	at org.keycloak.userprofile.DeclarativeUserProfileProvider.createAttributes(DeclarativeUserProfileProvider.java:112)
	at org.keycloak.userprofile.DeclarativeUserProfileProvider.createUserProfile(DeclarativeUserProfileProvider.java:139)
	at org.keycloak.userprofile.DeclarativeUserProfileProvider.create(DeclarativeUserProfileProvider.java:122)
	at org.keycloak.authentication.authenticators.broker.IdpReviewProfileAuthenticator.actionImpl(IdpReviewProfileAuthenticator.java:196)
	at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.action(AbstractIdpAuthenticator.java:93)
	at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:151)
	at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:987)

How to Reproduce?

  • Go to the keycloak login form
  • Click the button at the bottom to sign in with the "foo" keycloak IDP
  • At the "foo" keycloak IDP, choose a user not yet known to our own idp, and without email address, and login.
  • After redirect back at our IDP, the "Update Account Information" form shows up. Enter an Email address and click "submit".
  • Now the errors occur as described in "Actual behavior".

Anything else?

No response
@fjf2002 fjf2002 added kind/bug Categorizes a PR related to a bug status/triage labels Mar 20, 2024
@pedroigor
Copy link
Contributor

@fjf2002 Did you manage to have both working on previous versions?

@pedroigor pedroigor self-assigned this Mar 20, 2024
@fjf2002
Copy link
Contributor Author

fjf2002 commented Mar 21, 2024
edited

@pedroigor: Unknown.
Do you expect me to setup Keycloak v23 or v22 and test that?

@ArminRadmueller
Copy link

same problem with Verion 24.0.1 and Microsoft Entra ID.
I have noticed that if you create the social link on a user manually, the login with Entra ID works.

@pedroigor
Copy link
Contributor

@ArminRadmueller @fjf2002 I think I know what is going on. During the first broker login flow we are not dealing with the fact that the federation link (basically, the user federation provider ID) does not exist. See https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java#L115.

We need to override the getFederationLink and return null in that case.

We also don't have enough coverage for brokering and LDAP enabled at the same time. We should update our test suite to cover such usage.

pedroigor added a commit to pedroigor/keycloak that referenced this issue Mar 26, 2024
@pedroigor
Resolve the user federation link as null when decorating the user pro…
e88998c 
…file metadata in the LDAP provider

Closes keycloak#28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
@pedroigor pedroigor mentioned this issue Mar 26, 2024
Merged
@keycloak-github-bot keycloak-github-bot bot added kind/regression priority/blocker Highest Priority. Has a deadline and it blocks other tasks and removed priority/important Must be worked on very soon action/priority-regression labels Mar 26, 2024
@keycloak-github-bot keycloak-github-bot bot added this to the 25.0.0 milestone Mar 26, 2024
pedroigor added a commit that referenced this issue Mar 26, 2024
@pedroigor
Resolve the user federation link as null when decorating the user pro…
a470711 
…file metadata in the LDAP provider

Closes #28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
pedroigor added a commit to pedroigor/keycloak that referenced this issue Mar 26, 2024
@pedroigor
Resolve the user federation link as null when decorating the user pro…
a060f6e 
…file metadata in the LDAP provider

Closes keycloak#28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
@pedroigor pedroigor mentioned this issue Mar 26, 2024
Closed
@klausbetz klausbetz mentioned this issue Mar 26, 2024
Closed
@pedroigor
Copy link
Contributor

@fjf2002 Please, let me know if that fix works well for you. I managed to reproduce it in that test by enabling Kerberos to a realm without running any other step to authenticate the user but just log in from the broker.

I hope it is enough to cover this usage.

@ArminRadmueller
Copy link

Unfortunately I don't know exactly how to test. Would it be possible to release this fix in a 24.0.3?

@fjf2002
Copy link
Contributor Author

fjf2002 commented Mar 27, 2024

I have tested using the nightly build. Works. Thank You for patching that quickly.

stianst pushed a commit to stianst/keycloak that referenced this issue Apr 16, 2024
@pedroigor
Resolve the user federation link as null when decorating the user pro…
d7947bb 
…file metadata in the LDAP provider (#147)

Closes keycloak#28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
stianst added a commit that referenced this issue Apr 16, 2024
@stianst @jonkoops
@rmartinc @graziang @mposolda @pedroigor @sguilhen @shawkins
Sync (#28820)
80f5dd3 
* Limit requests sent through session status iframe (#132)

Closes #116

Signed-off-by: Jon Koops <jonkoops@gmail.com>

* Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131)

Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>

* Validate Saml URLs inside DefaultClientValidationProvider (#135)

Closes keycloak/keycloak-private#62

Signed-off-by: rmartinc <rmartinc@redhat.com>

* Avoid the same userSessionId after re-authentication (#136)

Closes #69

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>

* Better management of domains in TrustedHostClientRegistrationPolicy (#139)

Closes keycloak/keycloak-private#63

Signed-off-by: rmartinc <rmartinc@redhat.com>

* Secondary factor bypass in step-up authentication (#143)

closes #34

Signed-off-by: mposolda <mposolda@gmail.com>

* Restrict the token types that can be verified when not using the user info endpoint (#146)

Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

* Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider (#147)

Closes #28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

* Align isEnabled in MSAD mappers to how other properties are processed in UserAttributeLDAPStorageMapper (#148)

- user model is updated by onImport with the enabled/disabled status of the LDAP user
- a config option always.read.enabled.value.from.ldap was introduced, in synch to what we have in UserAttributeLDAPStorageMapper
- isEnabled checks the flag to decide if it should always retrieve the value from LDAP, or return the local value.
- setEnabled first updates the LDAP tx, and then calls the delegate to avoid issue #24201

Closes #26695
Closed #24201

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
(cherry picked from commit 2ca59d4)

* Ignore all links to GitHub when checking external links in docs due to rate limiting issues (#151)

Closes #28330

Signed-off-by: stianst <stianst@gmail.com>

* Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user (#150)

Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	docs/documentation/upgrading/topics/changes/changes-24_0_3.adoc

* Allow `false` to be set for `pkceMethod` option (#28347) (#152)

Closes #28335

Signed-off-by: Jon Koops <jonkoops@gmail.com>

* fix: adds a test and permissions for cache configmap (#153)

closes: #28638

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: stianst <stianst@gmail.com>
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
Co-authored-by: Giuseppe Graziano <g.graziano94@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Stefan Guilhen <sguilhen@redhat.com>
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedroigor pedroigor

Labels
area/identity-brokering kind/bug Categorizes a PR related to a bug kind/regression priority/blocker Highest Priority. Has a deadline and it blocks other tasks release/24.0.3 release/25.0.0 team/core-iam
Projects
None yet
Milestone
25.0.0
4 participants
@pedroigor @stianst @fjf2002 @ArminRadmueller