keycloak: Incorrect JSON returned in case of unavailable user federation
Before reporting an issue
- I have searched existing issues
- I have reproduced the issue with the latest nightly release
Area
admin/ui
Describe the bug
When Keycloak is configured with a user fedeation such as LDAP and that user federation is not available, Keycloak show the following error message in the admin UI when searching for users.
No users found, could be due to wrongly configured federated provider Unexpected non-whitespace character after JSON at position 1775 (line 1 column 1776)
Keycloak returned the following response to the admin UI. Note that the json is invalid, but contains all users from local Keycloak database.
[
{
"id": "139020a3-4459-43b1-a92f-d90e5cf093a1",
"createdTimestamp": 1632070461116,
"username": "test",
"enabled": true,
"emailVerified": true,
"email": "test@example.com",
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
},
"bruteForceStatus": {
"numFailures": 0,
"disabled": false,
"lastIPFailure": "n/a",
"lastFailure": 0
}
},
{
"id": "139020a3-4459-43b1-a92f-d90e5cf093a2",
"createdTimestamp": 1632070461116,
"username": "test2",
"enabled": true,
"emailVerified": true,
"email": "test2@example.net",
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
},
"bruteForceStatus": {
"numFailures": 0,
"disabled": false,
"lastIPFailure": "n/a",
"lastFailure": 0
}
},
{
"id": "139020a3-4459-43b1-a92f-d90e5cf093a3",
"createdTimestamp": 1632070461116,
"username": "test3",
"enabled": true,
"emailVerified": true,
"email": "test3@example.org",
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
},
"bruteForceStatus": {
"numFailures": 0,
"disabled": false,
"lastIPFailure": "n/a",
"lastFailure": 0
}
},
{
"id": "139020a3-4459-43b1-a92f-d90e5cf093a4",
"createdTimestamp": 1632070461116,
"username": "test4",
"enabled": true,
"emailVerified": false,
"email": "test4@example.com",
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
},
"bruteForceStatus": {
"numFailures": 0,
"disabled": false,
"lastIPFailure": "n/a",
"lastFailure": 0
}
},
{
"id": "139020a3-4459-43b1-a92f-d90e5cf093a5",
"createdTimestamp": 1632070461116,
"username": "test5",
"enabled": true,
"emailVerified": true,
"email": "test5@local.local",
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
},
"bruteForceStatus": {
"numFailures": 0,
"disabled": false,
"lastIPFailure": "n/a",
"lastFailure": 0
}
}
]{
"error": "unknown_error"
}
I understand that Keycloak cannot show any users from the unavailable federation, but it does not show the users returned for the query either.
Version
22.0.3
Expected behavior
Show the list of users that could be loaded from Keycloak itself (and available user federations with higher priority than the unavailable one). Show an additional hint that not all users could be loaded due to an issue with the federation provider.
Actual behavior
Shows this error message and returns invalid JSON.
How to Reproduce?
- Start a fresh Keycloak instance
- add a local user to a realm
- configure a user federation (ldap) within that the same realm and set the connection url to a non-existing server and all other attributes to valid values
- navigate to the user tab and search for all users
Anything else?
No response
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Reactions: 1
- Comments: 15 (12 by maintainers)
I am also getting this in keycloak Version 22.0.5.
When searching for “*” in the user list, with an LDAP federated user, the response is like the one indicated in the main thread:
Agreed that this should not be closed. The other linked issues indicate the fix was applied in 22.0.0, but I am still getting this in 22.0.5. This is not resolved, and is not an LDAP mis-configuration, as I am successfully able to login to protected routes with Keycloak using my LDAP users.
Additionally, the array of users being returned to this endpoint INCLUDES my LDAP users, so… no, this is not an LDAP mis-configuration.
Why is this issue closed since the problem still exist? Is it that there is no plan to resolve this issue? I am using version 22.0.4
I completely agree with this. I think we should make a dedicated section in the Admin Console for this that will highlight any sort of issues that are currently happening, perhaps even e-mail the admin user about it. But I don’t think this should break the API that lists the users.
I am also not aware of why this was done, but what you are saying here does make sense to me.
Yes, please do log these as new and separate issues. It makes it easier for us to triage and get it assigned to the correct team.
This is a duplicate of #20451 (and others) which should be fixed now after @pedroigor switched to the resteasy reactive #10713. It was a long issue with complicated resolution and the fix was merged just a few days ago. @sventorben Can you please test with the nightly build?
I’m closing now this one because it’s a duplicate for sure.