Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with free version pre-enterprise #96

Open
garpinc opened this issue Jan 30, 2024 · 12 comments
Open

Issues with free version pre-enterprise #96

garpinc opened this issue Jan 30, 2024 · 12 comments

Comments

@garpinc
Copy link

garpinc commented Jan 30, 2024

We're considering purchasing the enterprise version of this and so we thought we'd try free version to see how well it would work for us.
I'm using version 21.1.2 of keycloak with the following datasource
dataSource.setUrl("jdbc:h2:file:" + dbDirectory + "/testdb;NON_KEYWORDS=VALUE;IGNORECASE=TRUE;MODE=Oracle;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=TRUE;AUTO_RECONNECT=TRUE;INIT=CREATE SCHEMA IF NOT EXISTS mydb\\;SET SCHEMA mydb\\;");

My first issue was wrt enabling the license. We're loading our config with json so to get that to work I put following in the keycloak-server.json file. That wasn't immediately obvious from documentation but after much ado I got it working.

	"realm-restapi-extension": {
		"scim": {
			"license-key": "MYLICENSE"
		}
	}

Then I got an error from liquibase
Unable to resolve xml entity /META-INF/dbchangelog-3.9.xsd. liquibase.secureParsing is set to 'true' which does not allow remote lookups. Check for spelling or capitalization errors and missing extensions such as liquibase-commercial in your XSD definition. Or, set it to 'false' to allow remote lookups of xsd files.

It turned out that in liquibase.parser.core.xml.LiquibaseEntityResolver.resolveEntity(String name, String publicId, String baseURI, String systemId) systemId was being set to /META-INF/dbchangelog-3.9.xsd. This was being lowercased by systemId.toLowerCase() and hence it could not find that file. I changed the liquibase code to not do that and got past this error

Then I got this error from liquibase
because 'file' access is not allowed due to restriction set by the accessExternalSchema property
Turns out that liquibase.parser.core.xml.XMLChangeLogSAXParser does this
parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "http,https"); //need to allow external schemas on http/https to support the liquibase.org xsd files

Doesn't seem very secure to me since the whole point of this was to not allow remote access from resolving xsd however i set it to "all" instead and got past the error.

Next issue I get is the following error

Caused by: org.h2.jdbc.JdbcSQLSyntaxErrorException: Syntax error in SQL statement "select scimschema0_.ID as id1_75_, scimschema0_.CREATED as created2_75_, scimschema0_.DESCRIPTION as descript3_75_, scimschema0_.LAST_MODIFIED as last_mod4_75_, scimschema0_.MODIFIABLE as modifiab5_75_, scimschema0_.NAME as name6_75_, scimschema0_.SCHEMA_ID as schema_i7_75_ from SCIM_SCHEMA scimschema0_ where scimschema0_.NAME in ([*])"; expected "INTERSECTS (, NOT, EXISTS, UNIQUE, INTERSECTS"; SQL statement:
select scimschema0_.ID as id1_75_, scimschema0_.CREATED as created2_75_, scimschema0_.DESCRIPTION as descript3_75_, scimschema0_.LAST_MODIFIED as last_mod4_75_, scimschema0_.MODIFIABLE as modifiab5_75_, scimschema0_.NAME as name6_75_, scimschema0_.SCHEMA_ID as schema_i7_75_ from SCIM_SCHEMA scimschema0_ where scimschema0_.NAME in () [42001-220]

Not sure why or how to resolve this but I'm on verge of giving up with all these issues. Please advise as to if you have any recommendations. Thx
@Captain-P-Goldfish
Copy link
Owner

Hi first of all: Thanks I never considered json-configuration but in a production state most seem to use environment variables because it is easier with docker.

But if I look at your problems there are a few things that cross my mind here:

  1. are you trying to include the plugin into some unit tests of another custom provider?
    1. What jumps into my eye is the usage of h2-database that should only be used for testing.
    2. Oracle support MODE=Oracle will definetly fail since I just added support for Oracle database yesterday with the versions kc-23-1.4.0-enterprise and kc-22-1.4.0. Not available for keycloak 21.
  2. And the errors you are describing here remind me of writing my own unit tests because I too had to overcome these to make my unit-tests work.

This issue does not seem to be related to install the plugin into keycloak and make it run.

@garpinc
Copy link
Author

garpinc commented Jan 30, 2024
edited
Loading

I'm actually doing embedded keycloak in our app derived from https://www.baeldung.com/keycloak-embedded-in-spring-boot-app. Everything works as is but not this usecase which we were hoping for as one of our customers requires us to talk SCIM instead of LDAP. I have to also stay on that older version because we can't currently upgrade the version of jetty deployed in our app without a massive pain and later versions of keycloak require a jetty upgrade.

@Captain-P-Goldfish
Copy link
Owner

the embedded keycloak solution is pretty custom and out of scope for support. Since I have never tried this myself I cannot tell you which steps you need to do. The plugin works when directly installed into keycloak but I don't know what is necessary to get it running in your specific case.

Another problem you will get is that the liquibase script will cause problems with oracle-database. There will also be some issues with timestamps and a clob-type column in the schemaAttributes table. The 21 version will cause you some trouble as it does not seem to fit into you current scenario.

@garpinc
Copy link
Author

garpinc commented Jan 31, 2024 via email

@Captain-P-Goldfish
Copy link
Owner

I just added an exception release: kc-21-1.2.1-oracle
This is all I can offer so far. I am not extending the keycloak 21 version anymore. The merge-conflicts I am getting from 21 to 22 are too much work. And therefore I will not support this version any longer except in case of urgent security issues.

@garpinc
Copy link
Author

garpinc commented Feb 1, 2024
edited
Loading

I've got great news and bad news.. That worked great!!! Got no errors and I can get into the SCIM management interface.
Now the bad news is that I guess I misunderstood the difference between the client and server. It seems what I just did was allow the creation of SCIM endpoints in keycloak. i.e: now if someone wants to write an scim client to manipulate keycloak users they can do that instead of using the keycloak api (which is what I'm using in our application).

Unfortunately what I actually need (I think) is for keycloak to have an SCIM client to do user federation in a similar way to the ldap provider user federation. Is this the client that you are working on?

I actually don't need any of the SCIM CRUD functionality in this client since, like ldap user federation, it would be read only from my application because the client is not going to want us messing with their users.

It seems that none of the development does the equivalent of user federation using SCIM unless I am mistaken.

@Captain-P-Goldfish
Copy link
Owner

Yes, the SCIM client functionality is still in development and not far from being finished. But this will not be available for keycloak 21. It will be released under version 2.0.0 for keycloak 22 and 23

@garpinc
Copy link
Author

garpinc commented Feb 1, 2024 via email

@garpinc
Copy link
Author

garpinc commented Feb 1, 2024 via email

@Captain-P-Goldfish
Copy link
Owner

First I need to get the SCIM client implementation finished. My plan is (I hope I can keep this) to provide a mostly working preview until the end of february. You should evaluate it then if it meets your requirements and maybe then we can talk about kc21 support.

Could you clarify how exactly you define the behaviour of identity federation in this case?
The SCIM Client implementation will normally do what is expected:

  1. A remote SCIM provider is configured and can be assigned to a specific realm.
  2. If a user or group is created the event is catched and a SCIM create-request is sent to the remote provider
  3. Same for delete requests
  4. The really tricky part is handling updates of resources. This has some weaknesses because it can easily clash with other custom-providers in keycloak. Also you are using a special customized implementation that pulls keycloak into a spring-boot application. I am not sure if this specific circumstance might disable the client-implementation. It was necessary to register an interceptor on the keycloaks jpa-unit in hibernate to get it to work. I have no idea what the consequences are when you are modifying the environment

@garpinc
Copy link
Author

garpinc commented Feb 1, 2024
edited
Loading

So first of all I'm not using spring-boot. I used the technique to instead expose the resteasy stuff and corresponding keycloak app via regular spring mvc. I'm pretty sure I can register the interceptor as well since I have full control of the infrastructure except that of course I'm not allowed to change your code so we would have to see how the registration that you do fits in. I would think it would just work like all the rest of it but again we'll see. The server works with only a few tweaks to liquibase so it seems I'm not that much different to a regular install.

Secondly the use case you specified isn't the use case I'm after (I don't think).

What happens when you have LDAP user federation is following

  1. you can sync the users from the remote ldap into keycloak
  2. if someone logs in the user is pulled from remote ldap into keycloak along with the groups they are a part of

I just want the same things to happen instead via SCIM. So there is a remote source system containing users and groups and exposing the endpoints. So you can do 1) and 2). Essentially imagine the same ldap user federation source hidden behind SCIM endpoints.

@Captain-P-Goldfish
Copy link
Owner

Thanks for the clarification. I already assumed this would be the case. The first development state will not do what you want. But it should be relatively easy without much effort (at least that is what I am thinking at the moment) to extend its functionality to what you want. And from my point of view it is a really good way of using it. So I will add this feature as soon as the client-implementation is finished.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@garpinc @Captain-P-Goldfish