Rest Client URI is not invoked. Nothing is logs related to this plugin

[adeel41]

Running Keycloak 21.1.2 and version 1.0.0 of keycloak-user-migration plugin on a kubernetes cluster

I've setup a Rest client using this plugin with no authentication. The url is following, I've redacted the subdomain which I am using. https://{{redacted}}.ngrok.app/api/external-login

I can login if a user already exists in Keycloak but if the user does not exist then Keycloak or this plugin is not calling the configured REST API endpoint.

I've looked into the logs and I can see that first it generates a SQL query to check if that user exists in the Keycloak db and then after few further log entries, it has another SQL query to insert into EVENT_ENTITY table with the error that user not found.

Between these log entries, I would suspect something from Keycloak or this plugin which invoke this rest endpoint but nothing. There are only other logs which are related to Hibernate.

Attaching the screenshots just to show you that there is nothing related to lazy migration in the logs.

Entry no. 157 2024-03-15T12:10:11.207+00:00 is the SELECT query, trying to find that user in the Keycloak user table.

Entry no. 121 2024-03-15T12:10:11.387+00:00 is the insert into Event_entity table.

What's going on? How do I confirm if this plugin is working or am I missing something?

[daniel-frak]

It's honestly hard to tell what could be wrong here. Things that come to my mind:

1. Are you 100% sure that the endpoint is not being called?
2. Are you 100% sure that the endpoint URL is correct? Any HTTP status other than 200 will be interpreted as the user not having been found, so if the URL is incorrect, the plugin will assume that the user doesn't exist.
3. Are you sure the endpoint is behaving correctly, i.e. accepts the correct request body and returns the correct response?

Otherwise, perhaps studying the Cypress test can help find the issue: https://github.com/daniel-frak/keycloak-user-migration/blob/master/docker/e2e/cypress/e2e/migrating_users.cy.js

I'd recommend first running it as is, to ensure it passes, then modifying it to use your own Keycloak instance and legacy system.

[adeel41]

It's honestly hard to tell what could be wrong here. Things that come to my mind:

1. Are you 100% sure that the endpoint is not being called?

I am relying upon the logs. According to the logs, I don't see anything in Keycloak logs. The URL is provided by ngrok which is a web tunnelling tool, and if you hit any url on that subdomain, it shows in its console that what URL was hit and what was the response status code it returned. So quite confident that it is not calling the configured endpoint.

2. Are you 100% sure that the endpoint URL is correct? Any HTTP status other than 200 will be interpreted as the user not having been found, so if the URL is incorrect, the plugin will assume that the user doesn't exist.

Yes, I've copy pasted that same url in Postman and appended with /someUsername and it works and I can see it in ngrok console as well that there was a request,

3. Are you sure the endpoint is behaving correctly, i.e. accepts the correct request body and returns the correct response?

As far I know, the first request is a HTTP GET request and it appends the username so in my case it will be api/external-login/UsernameDoNotExist. My c# code is configured to have this route and returns user details. Same goes for HTTP Post but tbh I haven't tried that yet because I am stuck on first step.

Otherwise, perhaps studying the Cypress test can help find the issue: https://github.com/daniel-frak/keycloak-user-migration/blob/master/docker/e2e/cypress/e2e/migrating_users.cy.js

I'll look into this.

I'd recommend first running it as is, to ensure it passes, then modifying it to use your own Keycloak instance and legacy system.

Yup, good idea, I'll do that.

[edouardr]

Hi, I was having a similar issue and figured out after reading through the code (especially here) that the usernameOrEmail gets appended to the URL but without a / in between.

Therefore, this requires you to put this / at the end of your URL in the settings.

Maybe it would be nice to handle this in the plugin: as in, if no end slash on the URL to the appending accordingly.

Happy to help if it's something you want.

[daniel-frak]

@edouardr But isn't there a / added on the very line you're linking to? I would rather say that the plugin requires you to not put a slash at the end of the URL, as it is currently coded.

Regardless, I will gladly accept any PR which makes the application more resilient :)

[edouardr]

@daniel-frak you are right, it was probably too late and my eyes were tired. What's weird is that as soon as I put the / at the end, plugin started working.

I'll try to build the plugin locally see if I can replicate.

[jeanatpi]

I don't know if this is related but on our side, it looks like the request to specified endpoint url is blocked by our WAF (Akamai) as it is detected as a bot. We are trying to find a solution.