Hi there, recently we upgrade Keycloak to 7.0.1 and found out that our previously custom Authenticator is gone – the new version disabled the Upload Scripts feature. We then changed the way to provide the JS files and put them into a JAR file and deployed it. However, we found out that the script is getting called, but when the logic calls
context.failure(AuthenticationFlowError.INVALID_USER);
The system is not making the user invalid, rather lets the login process go through and redirects to the URL wrongly. Please help looking into it and see whether it’s potentially a bug. Thanks!
function authenticate(context) {
var username = user ? user.username : “anonymous”;
LOG.info(script.name + " trace auth for: " + username);var authShouldFail = !user.hasRole(realm.getRole("fhir_admin")); if (authShouldFail) { LOG.info(script.name + " trace auth for: " + username + " -- it should fail!"); context.failure(AuthenticationFlowError.INVALID_USER); } else { LOG.info(script.name + " trace auth for: " + username + " -- it should succeed!"); context.success(); }
}
The Log snippets:
- test user doesn’t have the required realmRole, it should fail. But we only have a warning and the login process went through.
e[0me[31m21:18:15,728 ERROR [stderr] (default task-8) Warning: Nashorn engine is planned to be removed from a future JDK release
e[0me[0m21:18:17,019 INFO [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-8) PDD-Registry Authenticator trace auth for: test
e[0me[0m21:18:18,697 INFO [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-8) PDD-Registry Authenticator trace auth for: test – it should fail!
e[0me[33m21:18:18,737 WARN [org.keycloak.services] (Brute Force Protector) KC-SERVICES0053: login failure for user 83c361ce-3d54-49b3-a039-47861c3d269b from ip 10.1.0.12
e[0me[0m21:18:19,786 INFO [org.keycloak.events] (default task-8) type=LOGIN, realmId=nhf, clientId=pdd-registry-local-server, userId=83c361ce-3d54-49b3-a039-47861c3d269b, ipAddress=10.1.0.12, auth_method=openid-connect, response_type=code, redirect_uri=http://localhost:4444/pdd-registry/, remember_me=false, consent=no_consent_required, code_id=420276a6-7f91-435a-ad29-37eaa5ea4649, response_mode=fragment, username=test, authSessionParentId=420276a6-7f91-435a-ad29-37eaa5ea4649, authSessionTabId=WETjUsEP4zY
e[0me[0m21:18:24,708 INFO [org.keycloak.events] (default task-8) type=CODE_TO_TOKEN, realmId=nhf, clientId=pdd-registry-local-server, userId=83c361ce-3d54-49b3-a039-47861c3d269b, ipAddress=10.1.0.12, token_id=ec68475b-b5cf-4adb-a4e0-e829bce1f01a, grant_type=authorization_code, refresh_token_type=Refresh, scope=‘openid email profile’, refresh_token_id=953c59eb-28c9-42f1-a629-abc6aeed5056, code_id=420276a6-7f91-435a-ad29-37eaa5ea4649, client_auth_method=client-secret
e[0me[0m21:18:25,393 INFO [org.keycloak.events] (default task-8) type=USER_INFO_REQUEST, realmId=nhf, clientId=pdd-registry-local-server, userId=83c361ce-3d54-49b3-a039-47861c3d269b, ipAddress=10.1.0.12, auth_method=validate_access_token, signature_required=false, username=test
- pddadmin user has the required realmRole, hence login process should go through.
e[0me[31m21:20:42,227 ERROR [stderr] (default task-8) Warning: Nashorn engine is planned to be removed from a future JDK release
e[0me[0m21:20:42,308 INFO [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-8) PDD-Registry Authenticator trace auth for: pddadmin
e[0me[0m21:20:43,016 INFO [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-8) PDD-Registry Authenticator trace auth for: pddadmin – it should succeed!
e[0me[0m21:20:43,968 INFO [org.keycloak.events] (default task-8) type=LOGIN, realmId=nhf, clientId=pdd-registry-local-server, userId=9f620737-6ffe-49fa-ae2a-4ae55da029ad, ipAddress=10.1.0.12, auth_method=openid-connect, response_type=code, redirect_uri=http://localhost:4444/pdd-registry/, remember_me=false, consent=no_consent_required, code_id=2dec2664-1ec4-4bc5-a563-9e328b7b2bcc, response_mode=fragment, username=pddadmin, authSessionParentId=2dec2664-1ec4-4bc5-a563-9e328b7b2bcc, authSessionTabId=3yzNp9OAzMw
e[0me[0m21:20:46,960 INFO [org.keycloak.events] (default task-8) type=CODE_TO_TOKEN, realmId=nhf, clientId=pdd-registry-local-server, userId=9f620737-6ffe-49fa-ae2a-4ae55da029ad, ipAddress=10.1.0.12, token_id=85ae1db5-fcac-4b62-81bf-3045ae0dd0cf, grant_type=authorization_code, refresh_token_type=Refresh, scope=‘openid email profile’, refresh_token_id=26fb7dd7-2aac-4d00-83fe-a9f741b9bac2, code_id=2dec2664-1ec4-4bc5-a563-9e328b7b2bcc, client_auth_method=client-secret
e[0me[0m21:20:47,327 INFO [org.keycloak.events] (default task-8) type=USER_INFO_REQUEST, realmId=nhf, clientId=pdd-registry-local-server, userId=9f620737-6ffe-49fa-ae2a-4ae55da029ad, ipAddress=10.1.0.12, auth_method=validate_access_token, signature_required=false, username=pddadmin