Role Mappings dont work with mail-like usernames

[Tetha]

Hello,

there is an entirely weird interaction in our setup. Our identity provider is generating keycloak users with usernames like elmer.fudd@old.example.com, but different email addresses such as elmer.fudd@new.example.com.

This allows users to authenticate with this plugin, but breaks authorization later on.

As far as I have traced, the bug occurs in this method:

nexus3-keycloak-plugin/src/main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/KeycloakAdminClient.java

Line 104 in 648fa03

public UserRepresentation getUser(String userNameOrEmail) {

With a username = elmer.fudd@old.example.com, the method will search for email=elmer.fudd@old.example.com instead of username=elmer.fudd@old.example.com to get the roles of the user. In the best case, this finds no roles because the mail does not exist. In the worst case, a user might be able to set their username to the email of another user and be authorized with their permissions. In either case, mail-like user names dont work in an expected way.

However, I'm entirely unsure how to fix this without breaking either login flow.

[flytreeleft]

@Tetha You can use elmer.fudd@new.example.com as the Nexus login name. And you should make sure that both of the username elmer.fudd@old.example.com and the email address elmer.fudd@new.example.com are used by the only one user, they can not be assigned to more than one person.

[Tetha]

For me, that does not work. If I use elmer.fudd@new.example.com as the nexus login name, that gets passed to keycloak as the username and the user does not exist.

2020-10-28 07:50:14,817 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=realm, clientId=nexus3, userId=null, ipAddress=x.x.x.x, error=user_not_found, auth_method=openid-connect, grant_type=password, client_auth_method=client-secret, username=elmer.fudd@new.example.com, authSessionParentId=, authSessionTabId=

[flytreeleft]

@Tetha It should be a bug, I will check that later.

[josedev-union]

seems same usecase with #57?

[Tetha]

@josedev-union Can you take a look at your keycloak user objects and provide the pseudomized values of the login property and the email property of your problematic user account?

In particular, it would be important to see if the login property of the keycloak username matches the email matcher, and if the email field is the same, or different from the username in that case.

[josedev-union]

2020-10-30 10:35:31,393+0000 INFO  [qtp1333205391-235] *UNKNOWN org.github.flytreeleft.nexus3.keycloak.plugin.KeycloakAuthenticatingRealm - doGetAuthenticationInfo for xxxx@xxxx via org.github.flytreeleft.nexus3.keycloak.plugin.internal.KeycloakHttpHeaderAuthToken: false

if email like username used, then KeycloakHttpHeaderAuthToken: false while KeycloakHttpHeaderAuthToken: true with non-email like username

[flytreeleft]

@Tetha @josedev-union Hi, did you enable the option Realm Settings -> Login -> Login with email?

And you can try to login Keycloak with the email to verify it.

[josedev-union]

@flytreeleft that was enabled already for my usecase.

[josedev-union]

fyi, i found that if i use "." in the username, it works while i use "@", it does not work.

https://github.com/flytreeleft/nexus3-keycloak-plugin/blob/master/src/main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/NexusKeycloakClient.java#L49-L56
This func returns false now.

       if (token instanceof UsernamePasswordToken) {
            return authenticate((UsernamePasswordToken) token);
        } else if (token instanceof KeycloakHttpHeaderAuthToken) {
            return authenticate((KeycloakHttpHeaderAuthToken) token);
        }
        return false;

[josedev-union]

https://github.com/flytreeleft/nexus3-keycloak-plugin/blob/master/src/main/java/org/github/flytreeleft/nexus3/keycloak/plugin/internal/NexusKeycloakClient.java#L66-L81

[josedev-union]

@flytreeleft so as you can see authenticate func in NexusKeycloakClient.java, when we use email-like username, the email verify is the mandatory thing.
So to solve the current problem, there are 2 workarounds

• the first one is to configure smtp in keycloak and enable email verify in login config of realm.
  

• the second one is to remove the email verification check in the plugin code.

[josedev-union]

@Tetha so when we use email-like username, the username must be same with email as well as email verification.
But for your usecase, email and username are not same.

[josedev-union]

@flytreeleft so i am thinking like this
to include usecases from @Tetha, we can have one flag to select the auth method against email-like username.
if flag is set true, we adopt email verification and check if the username and email in token are same.
if false, we adopt general auth method with email-like username like normal username.

how about your ideas? @Tetha @flytreeleft

[flytreeleft]

@josedev-union I know what your problem is. We should verify it as a normal username first, then check it as an email when it's fault.

By the way, did you login Nexus via SSO authentication?

[josedev-union]

yes, with general username, I can login via sso

[josedev-union]

@flytreeleft if you allow, i will make a PR

[flytreeleft]

@josedev-union Thanks for your PR :)

[flytreeleft]

@josedev-union @Tetha I have released the fixed version 0.4.1-prev1-SNAPSHOT, please have a try :)

[Tetha]

Sure thing, I'll tell the team to update and check.