Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

cancel
Showing results for 
Search instead for 
Did you mean: 
pedrohernandez
Active Member II

Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

Hello Everybody and thanks in advance for your help.


We are implementing authentification with keycloak version keycloak: 4.8.3. Final, and we're having the issue that when logging in with any user, it enters in a loop while logging and it creates several duplicate users in alfresco, we wanted to know if this a known issue or maybe my configuration is wrong. find images below, also we're deploying the applications with docker, if you need futher information let me know. thanks:

PD: image shows how user Pedro is duplicated 2 times.

PD: Also it creates a folder for every duplicated user.

Docker configuration looks like this:

ADF configuration looks like this: 

Bellow you can find attached alfresco logs while logging in and the alfresco-realm.json.

we followed this guide to configure our applications.

https://community.alfresco.com/people/gravitonian/blog/2018/07/17/getting-started-with-alfresco-iden... 

Again, Thanks for your time and help.

Regards,

Pedro.

6 Replies
afaust
Master

Re: Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

Interesting... it shouldn't actually be possible to create users with exactly the same name due to uniqueness constraints on the user name. I would bet this may not be a known issue (did you search JIRA for it?), since 6.1.2 GA is quite a new release and not a lot of people are using Alfresco with Keycloak yet, especially since Share does not support it for single sign-on purposes.

pedrohernandez
Active Member II

Re: Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

Axel, Thank you for your time.

I was looking in JIRA and couldn't find information, but first time using JIRA so I may have miss something. Some more information about the issue is that the logging is being made through ADF components, and when I logging it throw this exceptions on the logs:

INFO  [security.person.PersonServiceImpl] [http-nio-8080-exec-9] Splitting 1 duplicate person objects. then again:

INFO  [security.person.PersonServiceImpl] [http-nio-8080-exec-5] Splitting 2 duplicate person objects.

then:

[36malfresco_1 | [0m 2019-03-20 15:33:32,947 INFO [security.person.PersonServiceImpl] [http-nio-8080-exec-2] Splitting 2 duplicate person objects.
[36malfresco_1 | [0m 2019-03-20 15:33:32,974 INFO [security.person.PersonServiceImpl] [http-nio-8080-exec-9] Splitting 2 duplicate person objects.
[36malfresco_1 | [0m 2019-03-20 15:33:33,001 INFO [security.person.PersonServiceImpl] [http-nio-8080-exec-1] Splitting 2 duplicate person objects.

INFO [security.person.PersonServiceImpl] [http-nio-8080-exec-7] Splitting 2 duplicate person objects.
INFO [security.person.PersonServiceImpl] [http-nio-8080-exec-7] New person object: pedrodc7c953d-5366-482e-8ca6-ab0ca533f9d5
INFO [security.person.PersonServiceImpl] [http-nio-8080-exec-7] New person object: pedroc3454366-51e9-47f3-b6b9-88e5e8e75b2e
[security.person.PersonServiceImpl] [http-nio-8080-exec-7] Split 2 duplicate person objects.

afaust
Master

Re: Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

Ahh... that split handling is a very specific segment of code where Alfresco internally sets a special flag to allow duplicate user IDs for the transaction in which they are created. Come to look at it, this specific code has been in Alfresco for a long time. It is triggered only when more than one person with the identical name already exists, so it is only responsible for any subsequent duplication but not for the very first one. Essentially, it can split person objects in every read-write transaction where a specific lookup API is called/invoked in Java.

pedrohernandez
Active Member II

Re: Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

So that means that the issue is currently happening during the login process that is making several calls to create the same user?, if so. maybe to correctly test this is to use https://github.com/Alfresco/alfresco-content-app, that to my knowledge is tested with ACS 6.1 and integration with keycloak was working fine?, if this test have the same results duplicating the users then maybe I can create an issue in JIRA.

Or maybe should I take another approach?, what do you think?

Thanks for your time.

Regards.

damien_rider
Member II

Re: Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

Hi @pedrohernandez  and @afaust, I'm also having this exact problem. I'm seeing the same things in the logs. Was there any resolution on this problem?

Thanks,
Damien.

afaust
Master

Re: Alfresco ACS 6.1.2ga SSO Authentification with keycloak duplicating users

After the original post, I have now been using Keycloak at a customer too. I have never been able to reproduce the core issue, e.g. what caused the first duplication. Essentially, the simplest way to fix the issue "should" be to delete all the duplicated person objects, and then the logic in PersonService which creates further duplicates should not be triggered again.