Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest nightly release

Area

authentication

Describe the bug

When two or more Kerberos providers are added to the same realm the client provided token is only validated towards the first kerberos provider.. If the client provides a token issued by the second Kerberos provider they are not able to login.

The problem seems to be in org.keycloak.storage.UserStorageManager#getUserByCredential that fails completely on the first failure. It should instead continue to authenticate towards the next storage provider, if there are any.

Version

22.0.1

Expected behavior

Each Kerberos storage provider should be checked in the order specified by priority until one is successful or there are no more providers are available.

Actual behavior

Only the first Kerberos provider is actually checked.

How to Reproduce?

Setup a keycloak realm with two kerberos providers, test to login to the "Account Manager" with a token issued by the kerberos kdc defined in the provider with the least priority.

A demo using "docker compose" to setup a test environment together with a detailed guide on how to reproduce this bug can be found here https://github.com/ullgren/keycloak-with-two-kdc

Anything else?

Proposed patch will be submitted as a PR shortly.