We are currently hitting a very subtle bug regarding a multi-IdP Setup (Keycloak, LDAP):
When a user logs in via Keycloak all non-existing groups are created due to group-claims. Now if the same user logs in via LDAP after the first login (same account, mappingMethod: add) all groups that where created by the keycloak IdP are deleted if the user is the only user in that group.
I identified this section:
|
if len(updatedGroup.Users) == 1 && updatedGroup.Users[0] == username && updatedGroup.Annotations[groupGeneratedKey] == "true" { |
|
return m.groupsClient.Delete(context.TODO(), group, metav1.DeleteOptions{}) |
|
} |
|
|
|
// don't perform any actions on the group if it hasn't been synced for this IdP |
|
if updatedGroup.Annotations[fmt.Sprintf(groupSyncedKeyFmt, idpName)] != "synced" { |
|
return nil |
|
} |
The group cleanup check is above the IdP annotation check, most likely leading to this problem.
I know that this is an edge-case but can hit quite randomly and forces us to work around it. My customers and I would really appreciate a fix.
How to reproduce:
- add an OAuth and a LDAP IdP to Openshift (both are binding to the same Openshift User with
mappingMethod: add)
- add automated group propagation using claims to the OAuth IdP
- login with an user that has at least one group using the OAuth IdP
- groups is created as expected
- logout and login with the same user using the LDAP IdP
- now the group is deleted
Notes:
- If another user is added to the group (for whatever reason) it is not deleted
- If the group is created manually or via ldap sync this does not happen
- If 2 OAuth IdPs are used and both IdP Tokens contain the same groups, there should be no problem
- This behavior points to a bug rather than a security feature.
- Simply swapping the order of the checks should fix this edge-case.
We are currently hitting a very subtle bug regarding a multi-IdP Setup (Keycloak, LDAP):
When a user logs in via Keycloak all non-existing groups are created due to group-claims. Now if the same user logs in via LDAP after the first login (same account, mappingMethod: add) all groups that where created by the keycloak IdP are deleted if the user is the only user in that group.
I identified this section:
oauth-server/pkg/groupmapper/groupmapper.go
Lines 136 to 143 in f892602
The group cleanup check is above the IdP annotation check, most likely leading to this problem.
I know that this is an edge-case but can hit quite randomly and forces us to work around it. My customers and I would really appreciate a fix.
How to reproduce:
mappingMethod: add)Notes: