Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for multiple identity providers #29064

Merged
merged 1 commit into from May 4, 2024
Merged

Support for multiple identity providers #29064

merged 1 commit into from May 4, 2024

Conversation

pedroigor
Copy link
Contributor

@pedroigor pedroigor commented Apr 24, 2024
edited

Closes #28840

  • Allow multiple brokers per-organization
  • For now, we are using a config entry in the identity provider model to create the link to an organization.
  • Brokers associated with an org can be associated with a domain (from the list of org domains) so that you can map email domains to different brokers and register/authenticate members accordingly
  • Brokers associated with an org can be set as a "public" broker so that they are shown in the login pages to allow users to select when at the login page
  • It is possible to add members from a broker using an email domain not supported by the org. In this case, the broker must not be set with a domain.
  • It is possible to add existing users as members when not using an email domain not supported by the org.
  • If a broker can not be resolved based on the email domain when running the identity-first login, the user will be able to choose any broker associated with the org as long as they are marked as "public".Including realm-level brokers.

@pedroigor pedroigor requested review from a team as code owners April 24, 2024 20:28
@pedroigor pedroigor changed the title wip Support for multiple identity providers Apr 24, 2024
@pedroigor pedroigor marked this pull request as draft April 24, 2024 20:29
This was referenced Apr 24, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@pedroigor pedroigor force-pushed the issue-28840 branch 3 times, most recently from 3b1a3e5 to f57fdd3 Compare April 30, 2024 11:46
@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Apr 30, 2024
Open
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Apr 30, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.actions.RequiredActionUpdateProfileTest#updateProfile

Keycloak CI - Forms IT (chrome)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:307)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

keycloak-github-bot[bot]
keycloak-github-bot bot reviewed May 2, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testExternalExchangeCreateNewUserUsingMappers

Keycloak CI - Base IT

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testExternalExchange

Keycloak CI - Base IT

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest#testAccountLinkNoTokenStore

Keycloak CI - Base IT

java.lang.AssertionError: Unexpected page. Current Page URL: http://localhost:8280/exchange-linking/link?realm=child&provider=parent-idp
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.adapter.servlet.BrokerLinkAndTokenExchangeTest.testAccountLinkNoTokenStore(BrokerLinkAndTokenExchangeTest.java:494)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

Report flaky test

org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient

Keycloak CI - Base IT (1)

java.lang.RuntimeException: There were failures in threads. Failures count: 1
	at org.keycloak.testsuite.admin.concurrency.AbstractConcurrencyTest.run(AbstractConcurrencyTest.java:122)
	at org.keycloak.testsuite.admin.concurrency.AbstractConcurrencyTest.run(AbstractConcurrencyTest.java:63)
	at org.keycloak.testsuite.admin.concurrency.AbstractConcurrencyTest.run(AbstractConcurrencyTest.java:59)
	at org.keycloak.testsuite.admin.concurrency.ConcurrencyTest.concurrentTest(ConcurrencyTest.java:61)
...

Report flaky test

org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType

Keycloak CI - Base IT (4)

java.lang.AssertionError: Not expected to update client
	at org.junit.Assert.fail(Assert.java:89)
	at org.keycloak.testsuite.client.ClientTypesTest.testUpdateClientWithClientType(ClientTypesTest.java:112)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled

Keycloak CI - Base IT (6)

org.keycloak.common.VerificationException: Token not set
	at org.keycloak.TokenVerifier.parse(TokenVerifier.java:401)
	at org.keycloak.testsuite.oauth.ClientTokenExchangeTest.testExchange(ClientTokenExchangeTest.java:309)
	at org.keycloak.testsuite.oauth.ClientTokenExchangeTest.testExchangeWithDynamicScopesEnabled(ClientTokenExchangeTest.java:1021)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<403> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount

Keycloak CI - Base IT (6)

org.keycloak.common.VerificationException: Token not set
	at org.keycloak.TokenVerifier.parse(TokenVerifier.java:401)
	at org.keycloak.testsuite.oauth.ClientTokenExchangeTest.testExchangeUsingServiceAccount(ClientTokenExchangeTest.java:347)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

alice-wondered
alice-wondered reviewed May 2, 2024
View reviewed changes
model/jpa/src/main/java/org/keycloak/organization/jpa/JpaOrganizationProvider.java
return false;
}

realm.removeIdentityProviderByAlias(identityProvider.getAlias());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we call this function do we want to delete the identity provider from the realm or only remove the association between the idp and the organization?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, we remove it because we create it in the scope of the organization. However, we are going to change the Organization API to work similarly as users when linking brokers to an organization.

For that, we are going to link an existing broker instead therefore not removing it when removing from the organization, only the link as you are suggesting.

...ain/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java Outdated Show resolved Hide resolved
...g/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java Outdated Show resolved Hide resolved
...eycloak/organization/forms/login/freemarker/model/OrganizationAwareIdentityProviderBean.java Show resolved Hide resolved
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed May 2, 2024
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType

Keycloak CI - Base IT (4)

java.lang.AssertionError: Not expected to update client
	at org.junit.Assert.fail(Assert.java:89)
	at org.keycloak.testsuite.client.ClientTypesTest.testUpdateClientWithClientType(ClientTypesTest.java:112)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled

Keycloak CI - Base IT (6)

org.keycloak.common.VerificationException: Token not set
	at org.keycloak.TokenVerifier.parse(TokenVerifier.java:401)
	at org.keycloak.testsuite.oauth.ClientTokenExchangeTest.testExchange(ClientTokenExchangeTest.java:309)
	at org.keycloak.testsuite.oauth.ClientTokenExchangeTest.testExchangeWithDynamicScopesEnabled(ClientTokenExchangeTest.java:1021)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<403> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount

Keycloak CI - Base IT (6)

org.keycloak.common.VerificationException: Token not set
	at org.keycloak.TokenVerifier.parse(TokenVerifier.java:401)
	at org.keycloak.testsuite.oauth.ClientTokenExchangeTest.testExchangeUsingServiceAccount(ClientTokenExchangeTest.java:347)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient

Keycloak CI - Base IT (6)

java.lang.AssertionError: expected:<200> but was:<400>
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.failNotEquals(Assert.java:835)
	at org.junit.Assert.assertEquals(Assert.java:647)
	at org.junit.Assert.assertEquals(Assert.java:633)
...

Report flaky test

vramik
vramik reviewed May 3, 2024
View reviewed changes
Copy link
Contributor

@vramik vramik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @pedroigor for this PR. I didn't finished the whole review yet, especially authenticators and tests, but wanted to add some comments so you could look at them already.

I think it's unfortunate to manage identity providers in a way that we iterate over all realm IdP in various places, but I see it is the way how it was implemented in the past and there is not much we can do about it unless we re-do significant part of current implementation.

.../admin-client-jee/src/main/java/org/keycloak/admin/client/resource/OrganizationResource.java Outdated Show resolved Hide resolved
model/jpa/src/main/java/org/keycloak/organization/jpa/JpaOrganizationProvider.java Outdated
Comment on lines 258 to 270
List<IdentityProviderModel> brokers = organization.getIdentityProviders().toList();

if (identityProvider == null) {
if (brokers.isEmpty()) {
return false;
}

FederatedIdentityModel federatedIdentity = userProvider.getFederatedIdentity(realm, member, identityProvider.getAlias());
List<FederatedIdentityModel> federatedIdentities = userProvider.getFederatedIdentitiesStream(realm, member)
.map(federatedIdentityModel -> realm.getIdentityProviderByAlias(federatedIdentityModel.getIdentityProvider())).filter(brokers::contains)
.map(m -> userProvider.getFederatedIdentity(realm, member, m.getAlias()))
.toList();

return federatedIdentity != null;
return !federatedIdentities.isEmpty();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we could avoid collecting streams to collections here. Something like might do the trick,. wdyt?

return userProvider.getFederatedIdentitiesStream(realm, member)
                .map(federatedIdentityModel -> realm.getIdentityProviderByAlias(federatedIdentityModel.getIdentityProvider()))
                .filter(idp -> organization.getIdentityProviders().anyMatch(broker -> broker.getAlias().equals(idp.getAlias())))
                .map(idp -> userProvider.getFederatedIdentity(realm, member, idp.getAlias()))
                .anyMatch(Objects::nonNull);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep it as is. No need to resolve federated identities if there is no brokers associated with the orgs.

...ain/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java Outdated Show resolved Hide resolved
...ain/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java
return response;
}

throw ErrorResponse.error("Identity provider not associated with the organization", Status.BAD_REQUEST);
Copy link
Contributor

@vramik vramik May 3, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be overlooking something, but shouldn't be there a different error message? If I understand it correctly in this point there was something wrong during removing IdP from organization.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not removed is because it wasn't associated. Looks correct to me.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the problem with methods like removeIdentityProvider that return a status boolean. As the caller of the method, you don't actually know what went wrong. Line 116 is assuming why the error happened. And for now it's correct. But later someone comes along to change that method and returns false for some other reason. Then then assumption made in line 116 could be wrong.

I would suggest throwing an exception from inside the removeIdentityProvider method instead of using a status boolean.

Also, at some point we need to localize error messages that could end up in the UI. But that may be a task for another day.

...ain/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java
public Response delete() {
Response response = super.delete();

if (organizationProvider.removeIdentityProvider(organization, broker)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

organizationProvider.removeIdentityProvider(organization, broker) should remove the IdP from realm ... shouldn't it be already removed by super.delete();?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, and we are removing both delete and update operations from this endpoint. Similarly, as we did for users. That also means only unlinking the broker from the org instead of removing it entirely.

For now, I would keep as is.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid I do not understand, my point was that the IdP is being removed twice, is that intentional?

services/src/main/java/org/keycloak/organization/admin/resource/OrganizationResource.java Outdated Show resolved Hide resolved
...k/organization/authentication/authenticators/broker/IdpOrganizationAuthenticatorFactory.java
@@ -87,7 +87,7 @@ public String getHelpText() {

@Override
public boolean isUserSetupAllowed() {
return false;
return true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please elaborate a bit on this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid failing the flow when the authenticator is not "configured for" the current flow and user.

@pedroigor
Copy link
Contributor Author

I think it's unfortunate to manage identity providers in a way that we iterate over all realm IdP in various places, but I see it is the way how it was implemented in the past and there is not much we can do about it unless we re-do significant part of current implementation.

Yeah, fixing this is out of scope.

@pedroigor
Support for mutiple identity providers
8686735 
Closes keycloak#28840

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This was referenced May 3, 2024
Open
Open
Open
Open
Open
Open
Open
Open
@pedroigor pedroigor mentioned this pull request May 3, 2024
Merged
ahus1
ahus1 approved these changes May 4, 2024
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving based on @sguilhen's review. Thanks!

@ahus1 ahus1 merged commit 32d25f4 into keycloak:main May 4, 2024
70 checks passed
@pedroigor pedroigor deleted the issue-28840 branch May 6, 2024 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ssilvert ssilvert ssilvert left review comments

@vramik vramik vramik left review comments

@adrhine adrhine adrhine left review comments

@alice-wondered alice-wondered alice-wondered left review comments

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot left review comments

@sguilhen sguilhen sguilhen approved these changes

@ahus1 ahus1 ahus1 approved these changes

Assignees
No one assigned
Labels
flaky-test team/cloud-native team/core-clients team/core-iam
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for multiple identity providers
7 participants
@pedroigor @sguilhen @ssilvert @vramik @ahus1 @adrhine @alice-wondered