Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding roles to Service Account user allows to update user by serviceAccountClientId but is not working correctly #1011

Open
Sebastian-Gil-wcq opened this issue Apr 22, 2024 · 2 comments
Open

Adding roles to Service Account user allows to update user by serviceAccountClientId but is not working correctly #1011

Sebastian-Gil-wcq opened this issue Apr 22, 2024 · 2 comments
Assignees
@Motouom
Labels
bug

Comments

@Sebastian-Gil-wcq
Copy link

Current Behavior

We are provisioning clients with service accounts. Some of them use client roles binded with service user. The most convenient way to provision such client roles is to use serviceAccountClientId since it is a part of the provisioned change. The operation is successful, but strange things happens. Service accounts users get roles from a wrong client, or they don't get role assigned at all. The solution is to add the username to each entry in the users collection. However, now we have to use a generated username with prefix 'service-account-'. In case Keycloak changes that behaviour and stops prefixing service users with 'service-account-' there will be no way to "guess" that auto-generated name. To summarise I see two issues here:

  1. I'm allowed to create a user using serviceAccountClientId, but this is not working correctly
  2. In fact I'm not able to use serviceAccountClientId which seems to be the most convenient thing to do when I provision a client with service account.

Expected Behavior

When I update service account user using serviceAccountClientId I want roles to be correctly applied to the user.

Steps To Reproduce

Sample config

realm: test
clients:
  - clientId: api-event-mgmt
    description: desc
    enabled: true
    clientAuthenticatorType: client-secret
    secret: secret
    standardFlowEnabled: true
    implicitFlowEnabled: false
    directAccessGrantsEnabled: true
    serviceAccountsEnabled: true
    publicClient: false
    frontchannelLogout: true
    protocol: openid-connect
    attributes:
      oidc.ciba.grant.enabled: 'false'
      backchannel.logout.session.required: 'true'
      display.on.consent.screen: 'false'
      oauth2.device.authorization.grant.enabled: 'false'
      backchannel.logout.revoke.offline.tokens: 'false'
    fullScopeAllowed: true
    authorizationServicesEnabled: false
  - clientId: api-event-mgmt
    description: desc
    enabled: true
    clientAuthenticatorType: client-secret
    secret: secret
    standardFlowEnabled: true
    implicitFlowEnabled: false
    directAccessGrantsEnabled: true
    serviceAccountsEnabled: true
    publicClient: false
    frontchannelLogout: true
    protocol: openid-connect
    attributes:
      oidc.ciba.grant.enabled: 'false'
      backchannel.logout.session.required: 'true'
      display.on.consent.screen: 'false'
      oauth2.device.authorization.grant.enabled: 'false'
      backchannel.logout.revoke.offline.tokens: 'false'
    fullScopeAllowed: true
    authorizationServicesEnabled: false
users:
  - serviceAccountClientId: api-client-mgmt
    realmRoles: [ ]
    clientRoles:
      realm-management:
        - view-realm
        - manage-users
        - query-clients
        - manage-clients
  - serviceAccountClientId: api-event-mgmt
    realmRoles: [ ]
    clientRoles:
      realm-management:
        - view-events
        - manage-events


### Environment

- Keycloak Version: 24.0.2
- keycloak-config-cli Version: Docker image: adorsys/keycloak-config-cli:latest
[5.12.0-24.0.1](https://hub.docker.com/layers/adorsys/keycloak-config-cli/5.12.0-24.0.1/images/sha256-e9ec13c190a6adfd706b1d8a5c71d5434c4766d066259b14b05c3361c04d77c9?context=explore)
- Java Version: 17
 


### Anything else?

_No response_
@blanser-cc
Copy link

Just wanted to add that we have exactly the same issue with one of our customers.

@Motouom Motouom moved this from Todo to Ready for Dev in os-competence-center-board Nov 28, 2024
@Motouom Motouom self-assigned this Jan 8, 2025
@Motouom Motouom moved this from Ready for Dev to In Progress in os-competence-center-board Jan 8, 2025
@Motouom Motouom moved this from In Progress to Ready for Dev in os-competence-center-board Jan 9, 2025
@Motouom Motouom moved this from Ready for Dev to In Progress in os-competence-center-board Jan 9, 2025
@Motouom
Copy link
Collaborator

Motouom commented Jan 9, 2025

Hello @Sebastian-Gil-wcq and @blanser-cc.

Thanks for reporting the issue.

For some reasons that i have not yet gotten clearly, your configuration that you provided is not completely okay, making it not to work correctly.

You see, from the digging i made, for each service account user that you are inserting in your json/yml import, they must have a "username" attribute defined. Also, the user name must start with "service-account"

For the config you provided, i imported it and saw the issue you were facing. but when i looked futher into the issue, it shows that it was just an issue of misconfiguration.

below is you import and the result

{
  "realm": "test",
  "clients": [
    {
      "clientId": "api-event-mgmt",
      "description": "desc",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "secret",
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": true,
      "publicClient": false,
      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "true",
        "display.on.consent.screen": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false"
      },
      "fullScopeAllowed": true,
      "authorizationServicesEnabled": false
    },
    {
      "clientId": "api-client-mgmt",
      "description": "desc",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "secret",
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": true,
      "publicClient": false,
      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "true",
        "display.on.consent.screen": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false"
      },
      "fullScopeAllowed": true,
      "authorizationServicesEnabled": false
    }
  ],
  "users": [
    {
      "serviceAccountClientId": "api-client-mgmt",
      "realmRoles": [],
      "clientRoles": {
        "realm-management": [
          "view-realm",
          "manage-users",
          "query-clients",
          "manage-clients"
        ]
      }
    },
    {
      "serviceAccountClientId": "api-event-mgmt",
      "realmRoles": [],
      "clientRoles": {
        "realm-management": [
          "view-events",
          "manage-events"
        ]
      }
    }
  ]
}

Image

the users are created properly

Image

The clients are also well-created

Image
Image
but the roles are not well assigned.

The issue mainly arise because of no "username" being set as i mentioned above

so to fix the config, here is the corrected version of the config

{
  "realm": "test",
  "clients": [
    {
      "clientId": "api-event-mgmt",
      "description": "desc",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "secret",
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": true,
      "publicClient": false,
      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "true",
        "display.on.consent.screen": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false"
      },
      "fullScopeAllowed": true,
      "authorizationServicesEnabled": false
    },
    {
      "clientId": "api-client-mgmt",
      "description": "desc",
      "enabled": true,
      "clientAuthenticatorType": "client-secret",
      "secret": "secret",
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": true,
      "publicClient": false,
      "frontchannelLogout": true,
      "protocol": "openid-connect",
      "attributes": {
        "oidc.ciba.grant.enabled": "false",
        "backchannel.logout.session.required": "true",
        "display.on.consent.screen": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false"
      },
      "fullScopeAllowed": true,
      "authorizationServicesEnabled": false
    }
  ],
  "users": [
    {
      "username": "service-account-api-client-mgmt",
      "serviceAccountClientId": "api-client-mgmt",
      "realmRoles": [],
      "clientRoles": {
        "realm-management": [
          "view-realm",
          "manage-users",
          "query-clients",
          "manage-clients"
        ]
      }
    },
    {
      "username": "service-account-api-event-mgmt",
      "serviceAccountClientId": "api-event-mgmt",
      "realmRoles": [],
      "clientRoles": {
        "realm-management": [
          "view-events",
          "manage-events"
        ]
      }
    }
  ]
}

You can see here that the "username" of each user has been set, not only the "serviceAccountClientId" and now the config works properly. this is the result below

Image
the users are well-set

Image
the clients are also well-set

Image
Image
Each role is also well assigned accodingly.

@Motouom Motouom moved this from In Progress to Review in os-competence-center-board Jan 9, 2025
@Motouom Motouom moved this from Review to Awaiting Feedback in os-competence-center-board Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Motouom Motouom

Labels
bug
Projects
os-competence-center-board
Status: Awaiting Feedback
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blanser-cc @Sebastian-Gil-wcq @Motouom