Skip to content

Groups gets deleted on multi-IdP setup #240

Description

@mriedmann

We are currently hitting a very subtle bug regarding a multi-IdP Setup (Keycloak, LDAP):

When a user logs in via Keycloak all non-existing groups are created due to group-claims. Now if the same user logs in via LDAP after the first login (same account, mappingMethod: add) all groups that where created by the keycloak IdP are deleted if the user is the only user in that group.

I identified this section:

if len(updatedGroup.Users) == 1 && updatedGroup.Users[0] == username && updatedGroup.Annotations[groupGeneratedKey] == "true" {
return m.groupsClient.Delete(context.TODO(), group, metav1.DeleteOptions{})
}
// don't perform any actions on the group if it hasn't been synced for this IdP
if updatedGroup.Annotations[fmt.Sprintf(groupSyncedKeyFmt, idpName)] != "synced" {
return nil
}

The group cleanup check is above the IdP annotation check, most likely leading to this problem.

I know that this is an edge-case but can hit quite randomly and forces us to work around it. My customers and I would really appreciate a fix.

How to reproduce:

  • add an OAuth and a LDAP IdP to Openshift (both are binding to the same Openshift User with mappingMethod: add)
  • add automated group propagation using claims to the OAuth IdP
  • login with an user that has at least one group using the OAuth IdP
    • groups is created as expected
  • logout and login with the same user using the LDAP IdP
  • now the group is deleted

Notes:

  • If another user is added to the group (for whatever reason) it is not deleted
  • If the group is created manually or via ldap sync this does not happen
  • If 2 OAuth IdPs are used and both IdP Tokens contain the same groups, there should be no problem
  • This behavior points to a bug rather than a security feature.
  • Simply swapping the order of the checks should fix this edge-case.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions