Cannot log in with admin after logout on Keycloak 19.0.2

1

Hi,
I’ve installed Keycloak 19.0.2 using keycloakx from codecentric and it started perfectly.
I’ve logged in and configured my new realm with users (OTP as default), groups, roles and clients.
Then, I’ve logged out due to timeout.
Next, I’ve tried to login again to the admin console but I keep getting "invalid username or password’. I’ve tried chrome, edge and firefox as well as vivaldi after clearing caches or in private window and I have the same behavior.
On the log side, I have:

Appending additional Java properties to JAVA_OPTS: -XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0 -Djava.awt.headless=true -Dkubeping_namespace=tools -Dkubeping_label="keycloak-cluster=default" -Djgroups.dns.query=keycloakx-headless
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2022-09-28 22:03:01,944 INFO  [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 7806ms
Server configuration updated and persisted. Run the following command to review the configuration:

        kc.sh show-config

Next time you run the server, just run:

        kc.sh start --optimized --http-enabled=true --http-port=8080 --hostname-strict=false --hostname-strict-https=false --hostname-strict-backchannel=false --spi-events-listener-jboss-logging-success-level=info --spi-events-listener-jboss-logging-error-level=warn --spi-sticky-session-encoder-infinispan-should-attach-route=false

WARNING: The '--auto-build' option for 'start' command is DEPRECATED and no longer needed. When executing the 'start' command, a new server image is automatically built based on the configuration. If you want to disable this behavior and achieve an optimal startup time, use the '--optimized' option instead.
2022-09-28 22:03:03,511 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2022-09-28 22:03:04,640 INFO  [org.keycloak.common.crypto.CryptoIntegration] (main) Detected crypto provider: org.keycloak.crypto.def.DefaultCryptoProvider
2022-09-28 22:03:06,054 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2022-09-28 22:03:06,064 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-09-28 22:03:06,089 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2022-09-28 22:03:06,336 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.9.Final
2022-09-28 22:03:06,440 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `tcp-k8s`
2022-09-28 22:03:08,562 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) keycloakx-0-15071: no members discovered after 2002 ms: creating cluster as coordinator
2022-09-28 22:03:08,571 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [keycloakx-0-15071|0] (1) [keycloakx-0-15071]
2022-09-28 22:03:08,575 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `keycloakx-0-15071`, physical addresses are `[10.70.0.169:7800]`
2022-09-28 22:03:09,057 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: keycloakx-0-15071, Site name: null
2022-09-28 22:03:09,777 INFO  [io.quarkus] (main) Keycloak 19.0.2 on JVM (powered by Quarkus 2.7.6.Final) started in 7.716s. Listening on: http://0.0.0.0:8080
2022-09-28 22:03:09,778 INFO  [io.quarkus] (main) Profile prod activated.
2022-09-28 22:03:09,778 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]
2022-09-28 22:03:09,805 ERROR [org.keycloak.services] (main) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists
2022-09-28 22:04:23,782 WARN  [org.keycloak.events] (executor-thread-2) type=LOGIN_ERROR, realmId=7946a272-1ffb-4dc3-8e58-f50086aed68f, clientId=security-admin-console, userId=null, ipAddress=172.16.3.5, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://keycloak.local/auth/admin/master/console/#/, code_id=95c9322f-ea0f-4715-a9c5-bea228103d8f, username=admin, authSessionParentId=95c9322f-ea0f-4715-a9c5-bea228103d8f, authSessionTabId=-Xcxerv-DQE
2022-09-28 22:07:24,914 WARN  [org.keycloak.events] (executor-thread-4) type=LOGIN_ERROR, realmId=7946a272-1ffb-4dc3-8e58-f50086aed68f, clientId=security-admin-console, userId=null, ipAddress=172.16.3.5, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://keycloak.local/auth/admin/master/console/, code_id=9b611118-b1e1-4e26-992c-9e3c6a97a460, username=admin, authSessionParentId=9b611118-b1e1-4e26-992c-9e3c6a97a460, authSessionTabId=35aO4AItUIA

The environment variable KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD are correctly set. I’ve also duplicated them using KC_ prefix instead of KEYCLOAK_ and I have the same result.

What have I missed please ?

Thank you

2

Should admin user be created on the user_entities table ? In my case, I can see 2 normal users but not the admin one:

keycloak=> select id, realm_id, enabled from user_entity;
                  id                  |               realm_id               | enabled
--------------------------------------+--------------------------------------+---------
 14ae0024-6732-4151-bed6-4c7829fc0d84 | 7946a272-1ffb-4dc3-8e58-f50086aed68f | t
 677d7064-8eb1-4090-8d76-890778bc92e1 | 1f865d1d-139d-4760-b742-04cb582a9fb3 | t
(2 rows)

keycloak=> select * from username_login_failure;
 realm_id | username | failed_login_not_before | last_failure | last_ip_failure | num_failures
----------+----------+-------------------------+--------------+-----------------+--------------
(0 rows)
3

I’ve recreated the cluster after dropping the database and started making changes and logout every time.
I’ve configured the Email settings for my test realm and I set the email as requested while saving parameters. On “Manage Account” (top right corner), I can see that on the Personal info, the email has been updated.
As soon as I enable “Email as username”, the admin username has been updated and filled with the email that I’ve set previously → Even if I uncheck this option, the username is permanently set to my email adress :frowning:
I see 2 bugs in my opinion here:

  • The “Email as username”: must never update the admin username. The hint indicates “Allow users to set email as username.” → this mean that this setting is an option only and not permanent.
  • This option is configured per realm and MUST never be applied for all realms. At least for the “admin” user.

For me at least, I will keep it unckecked for now.

Cheers