keycloak/keycloak

Getting "UnknownError" exception when KerberosPrincipal has more than one "@" character

Open

#29,316 建立於 2024年5月6日

在 GitHub 查看
 (6 留言) (1 反應) (0 負責人)Java (8,346 fork)batch import
area/authenticationhelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-authnteam/core-clientsteam/rh-iam

倉庫指標

Star
 (34,398 star)
PR 合併指標
 (平均合併 6天 19小時) (30 天內合併 384 個 PR)

描述

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

When a KerberosPrincipal is defined into the UserFederation with multiple "@" characters a "Could not sync users: 'UnknownError'" error shows up in the UI.

Conversely, nothing shows up on the log side.

Probably also the logic imposing the presence of a single @ symbol in kerberos principal name can be wrong by the specification (https://datatracker.ietf.org/doc/html/rfc1964#section-2.1.1)

Code line which raises the error if the "@" characters are more than one: https://github.com/keycloak/keycloak/blob/main/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosPrincipal.java#L34

Environment

  • RHBK 22.0.09
  • LDAP
  • Kerberos

Reproducer

  1. Add a krbPrincipalName attribute (or a custom one, but you will need to change the default value into the UserFederation settings) into the LDAP.
  2. Set the attribute value with at least two "@" characters for one user.
  3. Create a UserFederation with the correct parameters.
  4. Sync all users.
  5. You will see a "Could not sync users: 'UnknownError' alert in the UI.
  6. Nothing will show up in the server logs.

Workaround

  • Fixing the users by putting one single "@" character into the userPrincipalName.
  • Excluding them by setting an LDAP filter:
(!(userPrincipalName=*\@*\@*))

Possible fix

It seems that it is possible to have multiple kerberos principals in the name as long as the character is properly escaped - according to https://datatracker.ietf.org/doc/html/rfc1964#section-2.1.1 section (1.a).

What we can probably do is:

  • Make sure that Keycloak can properly support the kerberos principal as long as character @ is escaped.
  • In case that it is not escaped, the Kerberos principal is likely incorrect. Keycloak might at least make sure that sensible error is displayed.

Version

nightly

Regression

  • The issue is a regression

Expected behavior

See above

Actual behavior

See above

How to Reproduce?

See above

Anything else?

No response

貢獻者指南