22352 kerberos fallback #22531
22352 kerberos fallback #22531
Conversation
2 flaky tests on run #8515 ↗︎Details:
|
|||||||||||||||||||||||||||
| Test | Artifacts | |
|---|---|---|
| Authentication test > should add a condition |
Output
Screenshots
|
|
realm_settings_general_tab_test.spec.ts • 1 flaky test • chrome
| Test | Artifacts | |
|---|---|---|
| Realm settings general tab tests > Test all general tab switches |
Output
Screenshots
|
|
This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.
82c0184 to
4ab9609
Compare
ahus1
left a comment
There was a problem hiding this comment.
@mposolda - thank you for the changes, they look good to me.
It might be worth adding this to the release notes, I assume some people have been waiting for this quite some time, and they'll be happy to find it there.
For the map storage, feel free to update the MapUserProvider or open a new ticket to add that support. It might be difficult (impossible) to write a test for the MapUserProvider yet, as the PR to add LDAP/Kerberos support for the map storage is still pending, see #10700.
Let me know how you decide, and then re-request a review and I'll approve it.
|
@mposolda Done some more testing with our test environment and it confirmed that this PR solves our problem. Again thanks so much for the work. |
There was a problem hiding this comment.
Not a blocker as it is related to naming. I think we can make the statues a bit more clear if:
VALID(AUTHENTICATED)INVALID(FAILED)VALID_USER(FALLBACK)CHALLENGE(CONTINUE)
My point is:
AUTHENTICATED: Credentials are validated and authentication happens on the upper layer where the authentication logic is inFAILED, the validator is actually returning that the credential is invalidVALID_USER, the validator is actually returning if the user is valid but not the credential. The decision to try other providers to authenticate the user depends on the upper layer.CONTINUE, this name indicates for me that validation should continue and not necessarily the authentication (somewhat related to theFALLBACKwhich indicates moving forward with the provider chain.
There was a problem hiding this comment.
Thanks Pedro for the suggestions. Your naming is probably better, but there is also concern with backwards compatibility as CredentialValidationOutput class is part of the server-spi module, which is part of user-storage SPI and hence backwards compatibility might be a concern...
@ahus1 What do you think? Can we rename things or is it better to keep as it is?
I see options like:
- Rename as @pedroigor suggested
- Rename only
FALLBACKtoVALID_USER. This is fine for backwards compatibility though asFALLBACKis new thing added in this PR - Keep as it is
I vote for 2. I can do 1 if @ahus1 agrees that backwards compatibility is not an issue.
There was a problem hiding this comment.
Update: In the end I've kept FALLBACK instead of VALID_USER. The VALID_USER is not accurate as it is used even for the cases when the user-storage provider is not able to recognize the credential nor the user and hence it just needs to fallback to next provider.
I see options like:
- Rename statuses to
VALID,INVALID,FALLBACK,CHALLENGE - Keep statuses as is in this PR
My vote is 2 just due the backwards compatibility. If we can break backwards compatibility, I am fine with (1).
@pedroigor @ahus1 What do you think?
There was a problem hiding this comment.
Looking at the docs, I see that this change is targeted for KC22, so it should be backward compatible. Therefore I vote to not rename the options.
…icated Kerberos principal closes keycloak#22352 keycloak#9422
4ab9609 to
54ee97b
Compare
|
@ahus1 @pedroigor I've added another commit with the release notes and with some small clarification in the javadoc of I've created #22780 as a follow-up task for the new store. I've used separate commit, so you can review the changes, but I plan to squash it before merge. |
ahus1
left a comment
There was a problem hiding this comment.
LGTM - one small nit-pick around the docs.
There was a problem hiding this comment.
Looking at the docs, I see that this change is targeted for KC22, so it should be backward compatible. Therefore I vote to not rename the options.
Co-authored-by: Alexander Schwartz <[email protected]>
|
@ahus1 Thanks for another review! I've applied your comments regarding docs. Also Thanks for the clarification for backwards compatibility. |
ghost
left a comment
There was a problem hiding this comment.
Unreported flaky test detected, please review
Unreported flaky test detectedIf the below flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.forms.RegisterWithUserProfileTest#testRegisterUserSuccess_attributeNotRequiredAndSelectedByScopeCanBeIgnoredKeycloak CI - Forms IT (chrome) org.keycloak.testsuite.forms.VerifyProfileTest#testAttributeRequiredButNotSelectedByScopeIsNotRenderedOnVerificationScreenForcedByAnotherAttributeKeycloak CI - Forms IT (chrome) |
…icated Kerberos principal (keycloak#22531) closes keycloak#22352 keycloak#9422 (cherry picked from commit 6f989fc)
|
@ahus1 @pedroigor Thanks for the review! |
Closes #22352 #9422 #14665 .
Summary of changes:
It adds new state
FALLBACKtoCredentialValidationOutput.Status. This means that federation provider was not able to finish authentication, and wants to fallback to other providers.The status
FAILEDmeans that user storage provider wants to finish authentication with failure without fallback to other providers (current behaviour from Keycloak main). StatusCONTINUEmeans that federation provider does not want to finish, but doesn't want fallback as another challenge response might need to be sent to the user (current behaviour from Keycloak main). Added also javadoc to what those status should mean.@ahus1 This should raise your concern from the Make UserStorageManager check all applicable CredentialAuthenticators #22353 (comment) as it should be possible to acknowledge fallback as well as fail authentication right away.
There are 2 scenarios when there are multiple LDAP providers and fallback to next federation provider might be needed. Added automated tests to both of them in this PR:
Scenario when
ldap-provider-1(which is 1st in the chain) is not able to do SPNEGO authentication at all. For instance because token contains completely different kerberos realm. In this case SPNEGO authentication did not success, so fallback to another provider might be neededScenario when
ldap-provider-1(which is 1st in the chain) is able to do SPNEGO authentication, but that provider is not able to lookup the user. This is common scenario with various "forest trust" scenarios. For this case, I've introduced noteKerberosConstants.AUTHENTICATED_SPNEGO_CONTEXTwhen the authenticated Spnego from 1st provider can be saved and then next provider in the chain (likeldap-provider-2) can lookup user.It can be better if same provider always does both SPNEGO authentication and lookup the user, but repeating SPNEGO authentication with same token is not possible as this would replay error (Something like
Caused by: KrbException: Request is a replay (34)) and authentication would not be possible to happen.At the same time, I don't see much issues with provider1 doing SPNEGO authentication and provider2 doing eventual lookup the user. Assumption is that administrator has control over the user-storage providers configured in the realm and hence automatically doing fallback does not seem to me as an issue. We can eventually add an option to LDAP/Kerberos providers like
Supports fallback for Kerberos authentication, which will allow both save spnego context for next providers as well as consume spnego context from previous providers. But so far, I did not messed with another option due I don't see issues with doing fallback automatically and the amount of options on LDAP-provider is already quite big.I've updated only
UserStorageManagerin this PR, but did not updatedMapUserProvider. I am not sure if it is needed to deal with the map storage and also wanted to first ask for the feedback in this PR. I can possibly updateMapUserProvideras well if you think it is necessary and we're ok with those changes.@ahus1 To your question from about detecting realm from spnego token - This is not easily possible. Spnego token is Base64 encoded token in ASN1 format with complicated structure. It might be possible to parse it with some 3rd party library or with BouncyCastle. Some hints are here https://stackoverflow.com/questions/4508555/decrypt-kerberos-ticket-using-spnego . I've tried to parse it with BouncyCastle (just for fun) in this branch https://github.com/mposolda/keycloak/blob/22352-spnego-parsing/crypto/default/src/test/java/org/keycloak/crypto/def/test/SPNEGOParseExample.java, but figured it is not trivial... At the same time, even if we figure parsing, announce which kerberos realms the LDAP provider supports won't be very useful as it is possible that realm
MYREALM.ORGis supported by 2 LDAP providersldap-provider-1andldap-provider-2and hence fallback might be still needed as user authenticated byldap-provider-1might be available in the LDAP subtree ofldap-provider-2. Also requirement to announce realms might not be very useful in the scenarios with MSAD forest trust with many realms when realms are added to the forest ad-hoc and hence the change in the configuration of LDAP providers would be needed always when adding new realm. However it can help with the scenario 1 I've described above as the provider1 would not try to authenticate SPNEGO token, which is clearly for different realm.