Bug 1316992

Summary: SSO: Users with uppercase letters hard coded in business processes does not work with Keycloak
Product: [Retired] JBoss BPMS Platform 6 Reporter: Pavel Kralik <pkralik>
Component: Business CentralAssignee: Roger Martínez <romartin>
Status: CLOSED NOTABUG QA Contact: Pavel Kralik <pkralik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.3.0CC: brms-docs, kverlaen, rsynek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-21 13:31:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
BPMS authorized with Keycloak none

Description Pavel Kralik 2016-03-11 16:21:37 UTC 
Created attachment 1135297 [details]
BPMS authorized with Keycloak

Description of problem:
SSO stores user records as lowercase letters strings. User can login to BC via Keycloak with loginname eg. USER, User, or user, but is authorized in lowercase letters finally. If business processes have hard coded usernames eg. task delegation to users with uppercase letters after migration to Keycloak authentication will not work properly.

Version-Release number of selected component (if applicable):
BPMS 6.3.0.DR2

How reproducible:
Always

Steps to Reproduce:
1. Install EAP 6.4/BPMS 6.3.0 and authorize with RH SSO.
2. Create BC/task and delegate to user with uppercase letters in login name.

Actual results:
Task is not delegated to user.

Expected results:
Task is delegated to user.

Additional info:
See attached screenshot.
Comment 2 Kris Verlaenen 2016-03-16 12:38:36 UTC 
Is this a limitation / constraint of KeyCloak we might not be able to work around?
Comment 3 Pavel Kralik 2016-03-16 20:50:31 UTC 
KeyCloak 1.9 (RH SSO 7.0.0.ER7) converts users to lowercase and roles are case sensitive.
Comment 4 Roger Martínez 2016-03-18 19:31:23 UTC 
It seems a limitation from the Keycloak and its adapter. 

Comments from the KC team "I'm afraid this is by design and we can't change it in Keycloak. In Keycloak username is not case sensitive, further we convert to lowercase to make sure the username is consistent.

If we had case insensitive match of username, but didn't lowercase you could end up either "username" or "Username" in the token and both referring to the same user."