Skip to content

Extends the conditional user attribute authenticator to check the att…#20189

Merged
mposolda merged 14 commits intokeycloak:mainfrom
dmartinol:issue-20007
Jun 19, 2023
Merged

Extends the conditional user attribute authenticator to check the att…#20189
mposolda merged 14 commits intokeycloak:mainfrom
dmartinol:issue-20007

Conversation

@dmartinol
Copy link
Contributor

@dmartinol dmartinol commented May 5, 2023

Extends the conditional user attribute authenticator to check the attributes of the joined groups.
Also includes a small change to the documentation to clarify this behavior.

Closes #20007

@dmartinol
Extends the conditional user attribute authenticator to check the att…
aca5351 
…ributes of the joined groups.

Also includes a small change to the documentation to clarify this behavior.

Closes keycloak#20007
@dmartinol dmartinol requested a review from a team as a code owner May 5, 2023 14:22
pedroigor
pedroigor reviewed May 15, 2023
View reviewed changes
docs/documentation/server_admin/topics/authentication/conditions.adoc Outdated

`Condition - User Attribute`::
This checks if the user has set up the required attribute.
This checks if the user or any of the joined groups have set up the required attribute.
Copy link
Contributor

@pedroigor pedroigor May 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we make clear that attributes are not inherited from parent groups but only those the user is a direct member of?

I'm not 100% sure if the attributes should always be resolved from groups in case they are unavailable from the user. It might end up with additional queries to the database even though you are not relying on attributes from groups or not using groups at all. It might happen that groups (and their attributes) are already being fetched before entering this authenticator, but I'm not sure.

Copy link
Contributor

@mposolda mposolda May 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedroigor Maybe we can add additional option to this authenticator like Allow group attributes - When false (the default), the behaviour would be the same like today (so not checking groups). When true, it can also check attributes from groups (the tooltip should have the info about the fact that using group attributes can have some performance impact). WDYT?

@mposolda
Copy link
Contributor

mposolda commented May 15, 2023

@dmartinol Added one comment inline in addition to Pedro's comment. Also the automated test is missing (for example BrowserFlowTest or AllowDenyAuthenticatorTest uses this authenticator - so perhaps there can be test added also for groups).

@dmartinol
Copy link
Contributor Author

dmartinol commented May 16, 2023

@dmartinol Added one comment inline in addition to Pedro's comment. Also the automated test is missing (for example BrowserFlowTest or AllowDenyAuthenticatorTest uses this authenticator - so perhaps there can be test added also for groups).

@mposolda I tried both the default undertow and the auth-server-quarkus profile but both fail with some mismatch with dependency classes/interfaces. E.g. with auth-server-quarkus profile I get:

[ERROR] BrowserFlowTest>AbstractKeycloakTest.beforeAbstractKeycloakTest:187->AbstractKeycloakTest.importTestRealms:396->AbstractKeycloakTest.importRealm:516 » NoSuchMethod 'jakarta.ws.rs.WebApplicationException org.jboss.resteasy.client.exception.WebApplicationExceptionWrapper.wrap(jakarta.ws.rs.WebApplicationException)'

Any hints?

@rmartinc
Copy link
Contributor

rmartinc commented May 18, 2023

@dmartinol The easiest way to test BrowserFlowTest is doing the following:

mvn clean install -DskipTests
cd testsuite/integration-arquillian/tests/base/
mvn clean test -Dtest=org.keycloak.testsuite.forms.BrowserFlowTest
# or
mvn clean test -Pauth-server-quarkus -Dtest=org.keycloak.testsuite.forms.BrowserFlowTest
# for a specific test
mvn clean test -Dtest=org.keycloak.testsuite.forms.BrowserFlowTest#testFlowDisabledWhenConditionalAuthenticatorIsDisabled

Usually the non-quarkus test is easier as it picks the deps without requiring more sub-projects (just mvn clean install the services project and the run will take the new changes).

As @mposolda commented I would try to add an extra option to the conditional, this is very similar to Aggregate attribute values in the OIDC mappers (see UserAttributeMapper.java . You can even use the KeycloakModelUtils.resolveAttribute method to obtain the collection of all attributes (group values included). Just default the option to false.

Regards!

@mposolda mposolda self-assigned this May 19, 2023
@dmartinol
Copy link
Contributor Author

dmartinol commented May 22, 2023

@rmartinc @mposolda pushed changes to include the extra option to the conditional.
Working on the UT righ tnow

@dmartinol dmartinol mentioned this pull request May 23, 2023
Merged
sgahlot added a commit to RHEcosystemAppEng/keycloak that referenced this pull request May 24, 2023
@sgahlot
Merge pull request #3 from dmartinol/issue-20007
40deab2 
Extends the conditional user attribute authenticator to check the att… keycloak#20189
@dmartinol dmartinol requested review from a team as code owners May 25, 2023 15:29
@dmartinol dmartinol requested a review from a team May 25, 2023 15:29
@ghost ghost added team/store labels May 25, 2023
@dmartinol
Copy link
Contributor Author

dmartinol commented May 25, 2023

@mposolda, all
added missing test code, hope this is good to go now

@dmartinol
Copy link
Contributor Author

dmartinol commented May 30, 2023

@pedroigor @mposolda anything else is needed?

pedroigor
pedroigor approved these changes Jun 14, 2023
View reviewed changes
Copy link
Contributor

@pedroigor pedroigor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmartinol @mposolda LGTM.

@pedroigor
Copy link
Contributor

pedroigor commented Jun 14, 2023

@mposolda Anything else?

@mposolda
Copy link
Contributor

mposolda commented Jun 19, 2023

@dmartinol @pedroigor Thanks for the update and review!

@mposolda mposolda merged commit d9b271c into keycloak:main Jun 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedroigor pedroigor pedroigor approved these changes

@mposolda mposolda mposolda approved these changes

Assignees

@mposolda mposolda

Labels

team/cloud-native

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Conditional user attribute authenticator does not match the joined groups

4 participants

@dmartinol @mposolda @rmartinc @pedroigor