Standalone Capability - Post IdP Login Exception

Question

Standalone Capability - Post IdP Login Exception

sherzinger opened this issue 2 years ago · 7 comments

Hi,

I would like to add MFA for IdP logins which do not support it.
To achieve this I added a new Authentication Flow with privacyidea as its only execution.
I then use this flow as a Post Login Flow in my desired IdP.

Unfortunately I get the exception below.
The line in which the NPE occurs seems to be https://github.com/privacyidea/keycloak-provider/blob/master/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java#L161

Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,719 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (executor-thread-0) Evaluating Conditions of Assertion _a9dec4d5-fd21-4f56-b3bf-da66c545f277. notBefore=2022-10-06T07:12:07.644Z, notOnOrAfter=2022-10-06T08:12:07.644Z, updatedNotBefore: 2022-10-06T07:12:02.644Z, updatedOnOrAfter=2022-10-06T08:12:12.644Z, now: 2022-10-06T07:12:07.719Z
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,719 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (executor-thread-0) Assertion _a9dec4d5-fd21-4f56-b3bf-da66c545f277 validity is VALID
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,719 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (executor-thread-0) Token will not be stored for identity provider [ul-adfs].
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,719 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (executor-thread-0) Redirect to postBrokerLogin flow after authentication with identityProvider 'ul-adfs'.
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,722 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper  commit
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,722 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (executor-thread-0) On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,722 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-0) Initiating JDBC connection release from beforeTransactionCompletion
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,722 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-0) Initiating JDBC connection release from afterTransaction
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,722 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) JtaTransactionWrapper end
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,742 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (vert.x-eventloop-thread-5) Recalculated absoluteURI to https://sso.lcsb.uni.lu/realms/main/login-actions/post-broker-login?client_id=account&tab_id=aw9iKo3Pjug
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,742 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) new JtaTransactionWrapper
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,742 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (executor-thread-0) was existing? false
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,743 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (executor-thread-0) `hibernate.connection.provider_disables_autocommit` was enabled.  This setting should only be enabled when you are certain that the Connections given to Hibernate by the ConnectionProvider have auto-commit disabled.  Enabling this setting when the Connections do not have auto-commit disabled will lead to Hibernate executing SQL operations outside of any JDBC/SQL transaction.
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,743 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (executor-thread-0) Hibernate RegisteredSynchronization successfully registered with JTA platform
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,744 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-0) Will use client 'account' in back-to-application link
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,744 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-0) AUTH_SESSION_ID cookie found in the request header
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,744 DEBUG [org.keycloak.services.util.CookieHelper] (executor-thread-0) AUTH_SESSION_ID cookie found in the cookie field
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,744 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (executor-thread-0) Found AUTH_SESSION_ID cookie with value eb3b2250-3f9b-4eb5-898a-3872f530649a.lcsb-cdc-keycloak-ha-02-53209
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,744 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (executor-thread-0) Transition between flows! Current flow: post-broker-login, Previous flow: authenticate
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-0) AUTHENTICATE
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (executor-thread-0) AUTHENTICATE ONLY
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) processFlow: MFA Post IdP Login
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) check execution: 'privacyidea-authenticator', requirement: 'REQUIRED'
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) authenticator: privacyidea-authenticator
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-0) Going through the flow 'MFA Post IdP Login' for adding executions
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,747 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (executor-thread-0) Selections when trying execution 'privacyidea-authenticator' : [ authSelection - privacyidea-authenticator]
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,748 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-0) invoke authenticator.authenticate: privacyidea-authenticator
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]: 2022-10-06 09:12:07,748 WARN  [org.keycloak.services] (executor-thread-0) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:53)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.plugins.server.BaseHttpRequest.getDecodedFormParameters(BaseHttpRequest.java:74)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:166)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at com.sun.proxy.$Proxy46.getDecodedFormParameters(Unknown Source)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.privacyidea.authenticator.PrivacyIDEAAuthenticator.authenticate(PrivacyIDEAAuthenticator.java:161)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:446)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:250)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1017)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:801)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:879)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:316)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:831)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.services.resources.LoginActionsService.postBrokerLoginGet(LoginActionsService.java:745)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:141)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:90)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:545)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
Oct 06 09:12:07 lcsb-cdc-keycloak-ha-02.uni.lu kc.sh[1909625]:         at java.base/java.lang.Thread.run(Thread.java:829)

Answer 1 · 2022-10-06T07:44:39.000Z

Hi, this happens because this is provider is not indented to be used as the sole execution in the flow. It is expected to have some sort of password provider before as detailed here: https://community.privacyidea.org/t/how-to-use-keycloak-with-privacyidea/1132. Because our provider is the first, it misses the parameters from the one that should be executed before, therefore this exception occurs.
How did you intend to use it? Would the password be verified by privacyidea?

Answer 2 · 2022-10-06T07:58:06.000Z

Hi @nilsbehlen , thank you for the super quick response!

No there are no passwords handled by Keycloak or PI here. The goal is to enhance IdP logins with MFA if the IdP does not provide it itself.

We have several institutional (internal and external) IdPs without MFA support. Some of these users will have access to sensitive datasets and we want to enforce MFA, no matter how the account logged in.

Answer 3 · 2022-10-06T08:17:33.000Z

And as far as I understand the code the password is only used in a password challenge, right?
Couldn't you completely skip that check if config.sendPassword() is false?

Answer 4 · 2022-10-06T09:40:08.000Z

i think we would need to look at all places where DecodedFormParams is used, because that would be null in case there is no provider before ours.
If you have time, you can try to skip that part and build the provider from source (which is really easy).

Answer 5 · 2022-10-06T09:57:11.000Z

Oh yeah that should not be a problem. I just would prefer if this could get fixed/addressed upstream at some point, because it's a real use-case for some institutions and there wouldn't be a need to maintain a fork.

Isn't this the only spot where DecodedFormParams occurs?
https://github.com/privacyidea/keycloak-provider/blob/master/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java#L161

Changing the condition to config.sendPassword() && context.getHttpRequest().getDecodedFormParameters().get(PASSWORD) != null would have the desired effect I believe.

The other occurrence of getDecodedFormParameters is in https://github.com/privacyidea/keycloak-provider/blob/master/src/main/java/org/privacyidea/authenticator/PrivacyIDEAAuthenticator.java#L281 but that's a different context where it shouldn't cause any issues.

I may be completely wrong, I just quickly checked the src files in the browser. In any case, if I could convince you that this would be a nice feature to have, I'd appreciate it if you could add it at some point.

Answer 6 · 2022-10-06T10:12:55.000Z

Yes, we will be looking into this, but it may take some time until we get to it.

Answer 7 · 2023-08-11T08:36:58.000Z

this will work with the upcoming 1.3.0 release as long as the username is provided by keycloak (username form or similar).