Flowable Keycloak all usersare added to all groups BUG

Hello, I think i found a problem…
I’m using Flowable with keycloak, and its all fine, I can create users, roles, groups in keycloak and it return the correct values in flowable.
For example if i login, the account request in the homepage (…9090/flowable-ui/) returns the user, and the group attribute confirms that the requestet user is in the selected groups.
However, When i go to the IDM App, I see all the Groups I’ve created in keycloak but when I click on a group, it appreas that all the users are part of that group, I doesn’t matter if the user is indeed or not in the group. All the users are in all the groups.

And i think this makes the tasks query with the “candidateOrAssigned” param unusable, because if i request tasks with {candidateOrAssigned: “username”} it return all the tasks, even if the task have CandidateGroups assigned, because the user is part of all the groups.

I have the Flowable docker setup with FLOWABLE.COMMON.APP.SECURITY.OAUTH2.AUTHORITIES-ATTRIBUTE=groups FLOWABLE.COMMON.APP.SECURITY.OAUTH2.GROUPS-ATTRIBUTE=userGroups
and I have the UserGroups mapping in the keycloak client.

Is it indeed a bug, or am i missing something?

Thank you.

i’m experiencing the same problem using the release 6.6 docker containers (ui-keycloak-postgres.sh launch script) … used the default setup, added two groups, and added a subset of the existing users into them … the result is that for each group, all users are listed in the IDM app as well as when querying via the rest interface.

is there a solution to this ?

best
Ulrich

1 Like

I also checked my keycloak service through the rest api with python-keycloak and keycloak is returning correct results for the handle.get_user_groups(username) calls - in the IDM App these group associations are not correct.

It would be important for us to understand how to resolve this issue so that we can deploy the new flowable setup using a modern IdP service.

I did some more investigation here.

1) first i removed the keycloak IDM backend and configured the LDAP user directory directly.

With the LDAP idm backend … the IDM UI App also reports that all users are in all groups, which is incorrect.

However, using expressions like

${processEngine.getIdentityService().createGroupQuery().groupMember("username").count()}

i could verify that the internally processed data seems to be correct - e.g. i can retrieve the right number of groups and their names using this approach in the process debugger

2) i reactivated the keycload idm backend

the IDM UI App still shows incorrect user groups assignments.

using the expression to retrieve user metadata (e.g. user email from the keycloak db works), therefore i think I have correctly set up the links between flowable and keycloak.

But now i can no more evaluate the expression to retrieve group related information … i get an error from the flowable-ui-app container:

flowable-ui-app_1 | 2020-12-02 23:05:06.535 ERROR 1 --- [io-8088-exec-40] o.a.c.c.C.[.[.[.[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [/flowable-ui] threw exception [Request processing failed; nested exception is org.flowable.common.engine.api.FlowableException: Error while evaluating expression: ${processEngine.getIdentityService().createGroupQuery().groupMember("XXXX").count()}] with root cause flowable-ui-app_1 | flowable-ui-app_1 | org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found: [{"error":"Realm not found."}] flowable-ui-app_1 | at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:113) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:184) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:125) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:714) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:358) ~[spring-web-5.2.9.RELEASE.jar:5.2.9.RELEASE] flowable-ui-app_1 | at org.flowable.ui.idm.service.keycloak.KeycloakGroupQueryImpl.executeCount(KeycloakGroupQueryImpl.java:62) ~[flowable-ui-idm-logic-6.6.0.jar:6.6.0] flowable-ui-app_1 | at .....
So my interpretation of this error is:

In Line 62 of KeycloakGroupQueryImpl.java a REST request for “…/groups/count” will be issued … which fails with 404 Not Found: [{“error”:“Realm not found.”}]

i wasn’t able to verify if the call to “groups/count” is working correctly as i don’t have a good debug tool for REST api’s with OAUTH at hand …

Does anybody know how to further investigate this ?

[update]
i just managed to verify using Firefox RESTClient that the rest call to count groups is successful:
GET https://my.keycloak.server/auth/admin/realms/MyRealm/groups/count
Response: {“count”:10}

is there an option to make httpclient more verbose so that it prints debug output e.g. which URL is generated ?

Thanks!

Best
Ulrich