Bug 1316992 - SSO: Users with uppercase letters hard coded in business processes does not work with Keycloak
SSO: Users with uppercase letters hard coded in business processes does not w...
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
x86_64 Linux
urgent Severity urgent
: ---
: ---
Assigned To: Roger Martínez
Pavel Kralik
Depends On:
  Show dependency treegraph
Reported: 2016-03-11 11:21 EST by Pavel Kralik
Modified: 2016-03-21 09:36 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-21 09:31:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
BPMS authorized with Keycloak (58.45 KB, image/png)
2016-03-11 11:21 EST, Pavel Kralik
no flags Details

  None (edit)
Description Pavel Kralik 2016-03-11 11:21:37 EST
Created attachment 1135297 [details]
BPMS authorized with Keycloak

Description of problem:
SSO stores user records as lowercase letters strings. User can login to BC via Keycloak with loginname eg. USER, User, or user, but is authorized in lowercase letters finally. If business processes have hard coded usernames eg. task delegation to users with uppercase letters after migration to Keycloak authentication will not work properly.

Version-Release number of selected component (if applicable):
BPMS 6.3.0.DR2

How reproducible:

Steps to Reproduce:
1. Install EAP 6.4/BPMS 6.3.0 and authorize with RH SSO.
2. Create BC/task and delegate to user with uppercase letters in login name.

Actual results:
Task is not delegated to user.

Expected results:
Task is delegated to user.

Additional info:
See attached screenshot.
Comment 2 Kris Verlaenen 2016-03-16 08:38:36 EDT
Is this a limitation / constraint of KeyCloak we might not be able to work around?
Comment 3 Pavel Kralik 2016-03-16 16:50:31 EDT
KeyCloak 1.9 (RH SSO 7.0.0.ER7) converts users to lowercase and roles are case sensitive.
Comment 4 Roger Martínez 2016-03-18 15:31:23 EDT
It seems a limitation from the Keycloak and its adapter. 

Comments from the KC team "I'm afraid this is by design and we can't change it in Keycloak. In Keycloak username is not case sensitive, further we convert to lowercase to make sure the username is consistent.

If we had case insensitive match of username, but didn't lowercase you could end up either "username" or "Username" in the token and both referring to the same user."

Note You need to log in before you can comment on or make changes to this bug.