Univention Bugzilla – Bug 57202
Inconsistent group membership in Keycloak
Last modified: 2024-04-03 17:40:04 CEST
In a customer environment, we saw inconsistencies in Keycloak group memberships in Keycloak using a "memberUid" group mapper as described in https://docs.software-univention.de/keycloak-app/latest/configuration.html#restrict-access-to-applications The customer saw that in the admin console, you could see the users as members of the Keycloak group, but if you openened the user, it was missing the group under "group memberships". This results in the user not getting the role it needs to log into an app. The LDAP membership was completely consistent. Not that it matters because in this configuration, Keycloak only looks at "memberUid" on the group to calculate group memberships. This should not be confused with the normal behaviour when caching is activated. With the default configuration, there can be inconsistencies for around 5 minutes between the user->groups and the group->user membership. At the customer, this inconsistency happened only sometimes after adding group membership, but it was persistent over hours and even outlived a Keycloak container reinitialization. We were not able to reproduce the issue in a local environment yet and therefore need more information from the customer to analyze the issue in full depth. It should be noted that the customer had three Keycloak installations of which two were inaccessable to us and could be a culprit due to the shared caching. There were no error messages even in the TRACE log level.
A workaround was needed immediately, and therefore we configured the Keycloak group mapper to react to memberOf on a user instead of memberUid on a group to calculate group membership. This probably inverts the issue at hand, but this is preferrable for this environment, as the needed role is only given to a user if the user itself has the group membership to the group that grants the role.
The customer provided a dump of their ucs realm configuration, real hostnames, certs/keys were stripped/changed, see attachment.
Created attachment 11204 [details] json dump of ucs realm configuration from keycloak