Can't link users to existing users in Rocketchat #17
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Server Versions
Keycloak Version 16.1.1-legacy
RCVersion 4.8.3
Bug descriptions
So I deployed the scim-adapter on an existing keycloak + rc and for existing users the role mapping doesn't seem to work.
Keycloak shows me the following error message - the api call to rc scim is never made.
For new users it works, but it looks like the users that existed before in Keycloak can't be linked to the user in rc with scim.
Users are coming from an external identity provider.
moved from scim#6
changed the description
So i can see the following error message on the rocket.chat side:
"{\"stack\":\"Error: This username already exists\\n at UsersEndpoint.handleRcError [as handleError] (evalmachine.<anonymous>:15:19)\\n at UsersEndpoint._post (evalmachine.<anonymous>:43:14)\\n at runMicrotasks (<anonymous>)\\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\\n at UsersEndpoint.post (evalmachine.<anonymous>:68:34)\",\"isBaseError\":true,\"type\":\"username\"}"
Just deleted a user from keycloak and recreated it through idp login on keycloak.
Error of keycloak at creation:
changed the description
changed title from Can't {-change role of-} existing users in Rocketchat to Can't {+link users to+} existing users in Rocketchat
changed the description
changed the description
Any news on this?
I have a fix for that, but I am not allowed to push something
you should have developer privileges now
On existing setup, you need to use the sync feature in KC at least once to link RC users & RC users. This didn't work for you ?
That didn't work. User couldnt be linked.
@Buechele provided a fix to update already existing users and link them.
Then the issue is in KC side. I think the merge logic should be implemented only in the identity provider and reconciled once, rather than in all services providers at every call.
You sure about that? I mean if user exist you just have to use a different endpoint and update the user instead of creating it. The fix so far works flawless, @Buechele even added that usernames etc get changed if done in keycloak.
I believe it deviates from the SCIM specs, although I might need to read them again. This could potentially create side effects for clients expecting errors in case of conflicts.
I really think this problem should be addressed client side (KC). The sync is supposed to resolve this. If it's broken, I'll fix it.
We could also add an option in KC to find the mapping (as the sync does) during calls with conflicts or missing mapping. If we think the sync isn't enough.
How can we proceed forward? In our tests the first sync does not update/link existing users in RocketChat. @hugo.renard should we provide you access to our test setup?
I pushed some fix to the initial mapping (in the first sync) to avoid crash when there is empty username or email in RC.
I can reproduce the issue, of existing user that is successfully mapped in KC, but update doesn't work. Hopefully I'll fix it next week.
Thanks for your proposal. I'll let you know if I need it.