-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not lower-case the username from the IdP when creating the federated identity #29148
Conversation
@@ -167,7 +167,7 @@ public void addFederatedIdentity(RealmModel realm, UserModel user, FederatedIden | |||
entity.setRealmId(realm.getId()); | |||
entity.setIdentityProvider(identity.getIdentityProvider()); | |||
entity.setUserId(identity.getUserId()); | |||
entity.setUserName(identity.getUserName().toLowerCase()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want a switch to enable/disable this behavior? This change can break existing deployments expecting the original username to be in lower-case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is probably a good idea to do it, IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just update this and document in the migration guide? Hopefully we can avoid (yet another) switch. But not 100% sure... If you guys rather think, we should keep backwards compatibility, I don't want to block this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd go then with the path of not adding any switch but updating both release and upgrade guides. I think most of the time, you really want to keep the original username. Also, I think one could always use a mapper to lowercase the value if they really need this data into tokens.
@thomasdarimont @sschu @tnorimat Based on your experience, do you have any strong opinions about this? Does it make sense to introduce a setting to keep storing the original username in lowercase (case-insensitive) when federating users from a broker?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pedroigor Hello,
From my side, there is no strong opinion about it. IMO, it makes sense to me to add a switch make sense to keep backward compatibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also would try to not break compatibility, otherwise people will end up with an upper/lower case mixture. Maybe we could keep the old behaviour for existing realms and introduce the new behaviour for new realms only? One option to not use a switch here would be to edit the template for new realms to always use a username template mapper in its first broker login flow. We could document that in order to change the behaviour for existing realms, you can add a username template mapper.
Besides that, I think the search logic in the JPAUserProvider needs to be adapted since currently it always searches for lower username only, see
orPredicates.add(builder.equal(from.get(USERNAME), value)); |
predicates.add(builder.equal(root.get(key), value.toLowerCase())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sschu Those references are related to the querying users and not their federated identities. AFAIK, we don't have any query that uses https://github.com/keycloak/keycloak/blob/main/model/jpa/src/main/java/org/keycloak/models/jpa/entities/FederatedIdentityEntity.java#L64 in a predicate.
I like though your suggestion to keep the existing behavior for existing realms while introducing the new behavior only for new ones. I'm wondering if we should consider binding realms with a version so that we can change behavior like this one only for realms greater than or equal to the version where a realm was created?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I assumed this was targeted at the username that Keycloak set's for a user based on the username from the external IDP. That's why I was also looking at the UsernameTemplateMapper. Binding switches to realm versions sounds like a nice idea to me. But. I would probably try to get more people's opinion on this since this could probably be used in several places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated the PR to introduce a Case-sensitive username
switch to the broker configuration so that you can enable it and have case-sensitive usernames when storing the federated identity.
a283d27
to
05663f5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accidentally approved the PR - I meant to comment that there are test failures that seem related @pedroigor
Fixed the failure by making sure we respect the value from the JSON configuration instead of forcing a lower-case when importing federating identities. |
…ed identity Closes keycloak#28495 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.forms.BruteForceTest#testNonExistingAccountsKeycloak CI - Forms IT (chrome)
org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testMigrateSessionKeycloak CI - Store Model Tests
|
Closes #28495