Uploaded image for project: 'OpenId Connect'
  1. OpenId Connect
  2. OIDC-179

Cannot login when the user is a member of too many groups with Keycloak provider

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Major
    • None
    • 2.8.7
    • None
    • None
    • Unknown

    Description

      We use Keycloak as our OIDC provider and to retrieve the user's groups we enable the standard Keycloak scope "microprofile-jwt".

       

      All was fine until a few users couldn't login and had the following error:

      org.xwiki.contrib.oidc.provider.internal.OIDCException: Failed to get user info:null
	org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.getUserInfo(OIDCUserManager.java:194)
	org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:242)
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134)
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108)
	org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
	org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
	org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
	org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)

      We narrowed down the problem to the user being a member of too many groups (around 200), which are included in the access token. I suspect the number of groups itself is not the real problem, but that the token is persisted and the field is not big enough to accomodate the value.

       

      The work-around has been to create our own scope in Keycloak to include the user's groups only on the user info token, which is enough to enable group mapping with XWiki groups.

       

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            dcendents Daniel Beland
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: