Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointerException using auth-require-group-extension on Keycloak 11.0.2 #21

Open
tgould-zivaro opened this issue Mar 17, 2021 · 1 comment
Open

NullPointerException using auth-require-group-extension on Keycloak 11.0.2 #21

tgould-zivaro opened this issue Mar 17, 2021 · 1 comment

Comments

@tgould-zivaro
Copy link

I am running Keycloak 11.0.2 with the require-group-extension deployed. I am using the below authentication flow (started as a copy from the Broser Flow).
Keycloak Admin Console 3-17-2021 3-35-14 PM

This flow is allowing users in even when the do not have the configured required group. The Keycloak logs show the following that appears to be at the root of the issue....

[0m�[33m20:05:46,239 WARN  [org.keycloak.services] (default task-42) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at deployment.auth-require-group-extension-1.0.0.0-SNAPSHOT.jar//com.github.thomasdarimont.keycloak.auth.requiregroup.RequireGroupAuthenticator.isMemberOfGroup(RequireGroupAuthenticator.java:47)
at deployment.auth-require-group-extension-1.0.0.0-SNAPSHOT.jar//com.github.thomasdarimont.keycloak.auth.requiregroup.RequireGroupAuthenticator.authenticate(RequireGroupAuthenticator.java:29)
at [email protected]//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:443)
....

What am I missing or doing incorrectly please?

TIA!
@tgould-zivaro
Copy link
Author

I believe that I have discovered that this is incompatible when using an Identity Provider Redirect. I am guessing that in such case, the original flow is ended when the redirect to the Identity Provider occurs. Therefore, any authorization via this plugin that is configured to happen afterwards dos not occur.

I have also attempted to configure the required authorization via this plugin in a separate 'authorization only' flow that is configured as the Identity Provider's Post Login Flow, but this limits you to only a single configuration - as opposed to potentially one for each unique client.

I have worked around this successfully in two slightly different manners:

  1. enabling script based authenticators and writing a script to perform the authorization while dynamically determining the required group name based upon the client invoked
  • OR -
  1. writing a custom authenticator plugin and to perform the authorization while dynamically determining the required group name based upon the client invoked

It is unfortunate that this seemingly common use case (i.e. working with an Identify Provider) is either not better supported nor documented as a known limitation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tgould-zivaro