New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null #28100
Comments
@fjf2002 Did you manage to have both working on previous versions? |
@pedroigor: Unknown. |
same problem with Verion 24.0.1 and Microsoft Entra ID. |
@ArminRadmueller @fjf2002 I think I know what is going on. During the first broker login flow we are not dealing with the fact that the We need to override the We also don't have enough coverage for brokering and LDAP enabled at the same time. We should update our test suite to cover such usage. |
…file metadata in the LDAP provider Closes keycloak#28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…file metadata in the LDAP provider Closes #28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
…file metadata in the LDAP provider Closes keycloak#28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
@fjf2002 Please, let me know if that fix works well for you. I managed to reproduce it in that test by enabling Kerberos to a realm without running any other step to authenticate the user but just log in from the broker. I hope it is enough to cover this usage. |
Unfortunately I don't know exactly how to test. Would it be possible to release this fix in a 24.0.3? |
I have tested using the nightly build. Works. Thank You for patching that quickly. |
…file metadata in the LDAP provider (#147) Closes keycloak#28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Limit requests sent through session status iframe (#132) Closes #116 Signed-off-by: Jon Koops <jonkoops@gmail.com> * Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) Closes keycloak/keycloak-private#113 Closes keycloak/keycloak-private#134 Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Stian Thorgersen <stianst@gmail.com> * Validate Saml URLs inside DefaultClientValidationProvider (#135) Closes keycloak/keycloak-private#62 Signed-off-by: rmartinc <rmartinc@redhat.com> * Avoid the same userSessionId after re-authentication (#136) Closes #69 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com> * Better management of domains in TrustedHostClientRegistrationPolicy (#139) Closes keycloak/keycloak-private#63 Signed-off-by: rmartinc <rmartinc@redhat.com> * Secondary factor bypass in step-up authentication (#143) closes #34 Signed-off-by: mposolda <mposolda@gmail.com> * Restrict the token types that can be verified when not using the user info endpoint (#146) Closes #47 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Conflicts: core/src/main/java/org/keycloak/util/TokenUtil.java testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java * Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider (#147) Closes #28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> * Align isEnabled in MSAD mappers to how other properties are processed in UserAttributeLDAPStorageMapper (#148) - user model is updated by onImport with the enabled/disabled status of the LDAP user - a config option always.read.enabled.value.from.ldap was introduced, in synch to what we have in UserAttributeLDAPStorageMapper - isEnabled checks the flag to decide if it should always retrieve the value from LDAP, or return the local value. - setEnabled first updates the LDAP tx, and then calls the delegate to avoid issue #24201 Closes #26695 Closed #24201 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com> (cherry picked from commit 2ca59d4) * Ignore all links to GitHub when checking external links in docs due to rate limiting issues (#151) Closes #28330 Signed-off-by: stianst <stianst@gmail.com> * Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user (#150) Closes #28248 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Conflicts: docs/documentation/upgrading/topics/changes/changes-24_0_3.adoc * Allow `false` to be set for `pkceMethod` option (#28347) (#152) Closes #28335 Signed-off-by: Jon Koops <jonkoops@gmail.com> * fix: adds a test and permissions for cache configmap (#153) closes: #28638 Signed-off-by: Steve Hawkins <shawkins@redhat.com> --------- Signed-off-by: Jon Koops <jonkoops@gmail.com> Signed-off-by: rmartinc <rmartinc@redhat.com> Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com> Signed-off-by: mposolda <mposolda@gmail.com> Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: stianst <stianst@gmail.com> Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Ricardo Martin <rmartinc@redhat.com> Co-authored-by: Giuseppe Graziano <g.graziano94@gmail.com> Co-authored-by: Marek Posolda <mposolda@gmail.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Stefan Guilhen <sguilhen@redhat.com> Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Before reporting an issue
Area
identity-brokering, ldap
Describe the bug
I'm using Keycloak v24.0.1 with both
I had tested both separately and it worked. But when BOTH are enabled, the following occurs, see the descriptions in the sections below.
As soon as I disable the LDAP user federation, it will work.
I should add, the LDAP user federation is configured as follows:
Version
24.0.1
Regression
Expected behavior
Successful login with the "foo" keycloak IDP
Actual behavior
After the steps described in "How to Reproduce", the GUI shows "An Error occurred", and the log shows:
How to Reproduce?
Anything else?
No response
The text was updated successfully, but these errors were encountered: