Can't link users to existing users in Rocketchat #17

Open
opened 2022-08-11 12:18:00 +00:00 by Hofer · 18 comments
Hofer commented 2022-08-11 12:18:00 +00:00 (Migrated from lab.libreho.st)

Server Versions

Keycloak Version 16.1.1-legacy

RCVersion 4.8.3

Bug descriptions

So I deployed the scim-adapter on an existing keycloak + rc and for existing users the role mapping doesn't seem to work.

Keycloak shows me the following error message - the api call to rc scim is never made.

2022-08-11T12:05:27.297644765Z 12:05:27,297 INFO  [sh.libre.scim.event.ScimEventListenerProvider] (default task-78) DELETE users 3f9bed91-6ce4-40f5-a41d-3b58ce13a6f5 roles
2022-08-11T12:05:27.297725249Z 12:05:27,297 INFO  [sh.libre.scim.core.ScimDispatcher] (default task-78) 22db2fe9-c2d7-4731-a88d-8d4e8cc13258 scim scim org.keycloak.storage.UserStorageProvider
2022-08-11T12:05:27.306681350Z 12:05:27,306 WARN  [sh.libre.scim.core.ScimClient] (default task-78) failed to replace resource 3f9bed91-6ce4-40f5-a41d-3b58ce13a6f5, scim mapping not found

For new users it works, but it looks like the users that existed before in Keycloak can't be linked to the user in rc with scim.

Users are coming from an external identity provider.

## Server Versions Keycloak Version 16.1.1-legacy RCVersion 4.8.3 ## Bug descriptions So I deployed the scim-adapter on an existing keycloak + rc and for existing users the role mapping doesn't seem to work. Keycloak shows me the following error message - the api call to rc scim is never made. ``` 2022-08-11T12:05:27.297644765Z 12:05:27,297 INFO [sh.libre.scim.event.ScimEventListenerProvider] (default task-78) DELETE users 3f9bed91-6ce4-40f5-a41d-3b58ce13a6f5 roles 2022-08-11T12:05:27.297725249Z 12:05:27,297 INFO [sh.libre.scim.core.ScimDispatcher] (default task-78) 22db2fe9-c2d7-4731-a88d-8d4e8cc13258 scim scim org.keycloak.storage.UserStorageProvider 2022-08-11T12:05:27.306681350Z 12:05:27,306 WARN [sh.libre.scim.core.ScimClient] (default task-78) failed to replace resource 3f9bed91-6ce4-40f5-a41d-3b58ce13a6f5, scim mapping not found ``` For new users it works, but it looks like the users that existed before in Keycloak can't be linked to the user in rc with scim. Users are coming from an external identity provider.
Hofer commented 2022-08-11 12:18:00 +00:00 (Migrated from lab.libreho.st)

moved from scim#6

moved from scim#6
Hofer commented 2022-08-11 12:20:23 +00:00 (Migrated from lab.libreho.st)

changed the description

changed the description
Hofer commented 2022-08-11 12:25:59 +00:00 (Migrated from lab.libreho.st)

So i can see the following error message on the rocket.chat side:

"{\"stack\":\"Error: This username already exists\\n at UsersEndpoint.handleRcError [as handleError] (evalmachine.<anonymous>:15:19)\\n at UsersEndpoint._post (evalmachine.<anonymous>:43:14)\\n at runMicrotasks (<anonymous>)\\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\\n at UsersEndpoint.post (evalmachine.<anonymous>:68:34)\",\"isBaseError\":true,\"type\":\"username\"}"

Just deleted a user from keycloak and recreated it through idp login on keycloak.

Error of keycloak at creation:

2022-08-11T12:24:27.116750135Z 12:24:27,116 INFO  [sh.libre.scim.core.ScimDispatcher] (default task-81) 22db2fe9-c2d7-4731-a88d-8d4e8cc13258 scim scim org.keycloak.storage.UserStorageProvider
2022-08-11T12:24:27.466708270Z 12:24:27,466 ERROR [sh.libre.scim.core.ScimDispatcher] (default task-81) java.lang.RuntimeException: com.unboundid.scim2.common.exceptions.ResourceConflictException: This username already exists
So i can see the following error message on the rocket.chat side: ` "{\"stack\":\"Error: This username already exists\\n at UsersEndpoint.handleRcError [as handleError] (evalmachine.<anonymous>:15:19)\\n at UsersEndpoint._post (evalmachine.<anonymous>:43:14)\\n at runMicrotasks (<anonymous>)\\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\\n at UsersEndpoint.post (evalmachine.<anonymous>:68:34)\",\"isBaseError\":true,\"type\":\"username\"}"` Just deleted a user from keycloak and recreated it through idp login on keycloak. Error of keycloak at creation: ``` 2022-08-11T12:24:27.116750135Z 12:24:27,116 INFO [sh.libre.scim.core.ScimDispatcher] (default task-81) 22db2fe9-c2d7-4731-a88d-8d4e8cc13258 scim scim org.keycloak.storage.UserStorageProvider 2022-08-11T12:24:27.466708270Z 12:24:27,466 ERROR [sh.libre.scim.core.ScimDispatcher] (default task-81) java.lang.RuntimeException: com.unboundid.scim2.common.exceptions.ResourceConflictException: This username already exists ```
Hofer commented 2022-08-11 12:27:21 +00:00 (Migrated from lab.libreho.st)

changed the description

changed the description
Hofer commented 2022-08-11 12:31:52 +00:00 (Migrated from lab.libreho.st)

changed title from Can't {-change role of-} existing users in Rocketchat to Can't {+link users to+} existing users in Rocketchat

changed title from **Can't {-change role of-} existing users in Rocketchat** to **Can't {+link users to+} existing users in Rocketchat**
Hofer commented 2022-08-11 12:31:59 +00:00 (Migrated from lab.libreho.st)

changed the description

changed the description
Hofer commented 2022-08-11 12:32:31 +00:00 (Migrated from lab.libreho.st)

changed the description

changed the description
Hofer commented 2022-08-31 07:21:45 +00:00 (Migrated from lab.libreho.st)

Any news on this?

Any news on this?
Buechele commented 2022-09-07 06:20:20 +00:00 (Migrated from lab.libreho.st)

I have a fix for that, but I am not allowed to push something

I have a fix for that, but I am not allowed to push something
Hofer commented 2022-09-07 06:30:12 +00:00 (Migrated from lab.libreho.st)

you should have developer privileges now

you should have developer privileges now
hugo.renard commented 2022-09-07 07:36:19 +00:00 (Migrated from lab.libreho.st)

On existing setup, you need to use the sync feature in KC at least once to link RC users & RC users. This didn't work for you ?

On existing setup, you need to use the sync feature in KC at least once to link RC users & RC users. This didn't work for you ?
Hofer commented 2022-09-07 08:08:06 +00:00 (Migrated from lab.libreho.st)

That didn't work. User couldnt be linked.

That didn't work. User couldnt be linked.
Hofer commented 2022-09-07 08:08:44 +00:00 (Migrated from lab.libreho.st)

@Buechele provided a fix to update already existing users and link them.

@Buechele provided a fix to update already existing users and link them.
hugo.renard commented 2022-09-07 11:25:55 +00:00 (Migrated from lab.libreho.st)

Then the issue is in KC side. I think the merge logic should be implemented only in the identity provider and reconciled once, rather than in all services providers at every call.

Then the issue is in KC side. I think the merge logic should be implemented only in the identity provider and reconciled once, rather than in all services providers at every call.
Hofer commented 2022-09-08 08:10:47 +00:00 (Migrated from lab.libreho.st)

You sure about that? I mean if user exist you just have to use a different endpoint and update the user instead of creating it. The fix so far works flawless, @Buechele even added that usernames etc get changed if done in keycloak.

You sure about that? I mean if user exist you just have to use a different endpoint and update the user instead of creating it. The fix so far works flawless, @Buechele even added that usernames etc get changed if done in keycloak.
hugo.renard commented 2022-09-08 16:52:35 +00:00 (Migrated from lab.libreho.st)

I believe it deviates from the SCIM specs, although I might need to read them again. This could potentially create side effects for clients expecting errors in case of conflicts.

I really think this problem should be addressed client side (KC). The sync is supposed to resolve this. If it's broken, I'll fix it.

We could also add an option in KC to find the mapping (as the sync does) during calls with conflicts or missing mapping. If we think the sync isn't enough.

I believe it deviates from the SCIM specs, although I might need to read them again. This could potentially create side effects for clients expecting errors in case of conflicts. I really think this problem should be addressed client side (KC). The sync is supposed to resolve this. If it's broken, I'll fix it. We could also add an option in KC to find the mapping (as the sync does) during calls with conflicts or missing mapping. If we think the sync isn't enough.
Alton commented 2022-10-25 07:12:09 +00:00 (Migrated from lab.libreho.st)

How can we proceed forward? In our tests the first sync does not update/link existing users in RocketChat. @hugo.renard should we provide you access to our test setup?

How can we proceed forward? In our tests the first sync does not update/link existing users in RocketChat. @hugo.renard should we provide you access to our test setup?
hugo.renard commented 2022-10-25 09:34:27 +00:00 (Migrated from lab.libreho.st)

I pushed some fix to the initial mapping (in the first sync) to avoid crash when there is empty username or email in RC.

I can reproduce the issue, of existing user that is successfully mapped in KC, but update doesn't work. Hopefully I'll fix it next week.

Thanks for your proposal. I'll let you know if I need it.

I pushed some fix to the initial mapping (in the first sync) to avoid crash when there is empty username or email in RC. I can reproduce the issue, of existing user that is successfully mapped in KC, but update doesn't work. Hopefully I'll fix it next week. Thanks for your proposal. I'll let you know if I need it.
This repo is archived. You cannot comment on issues.
No labels
No milestone
No project
No assignees
1 participant
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: libre.sh/rocketchat-scim#17
No description provided.