Calling external REST API during user creation

the-dude · October 5, 2022, 6:45pm

Hello,

How can I make a call to some REST API during creation of a user in Keycloak and set a user attribute based on the API response?

This should affect user registration, first broker login and ideally programmatic user creation through the Keycloak REST API even though this last point is not a deal-breaker. Failure of the API call should fail user creation - which is also why I don’t want to rely on Keycloak’s event API.

Ideally, I also want to be able to toggle activation of this additional step through the Keycloak UI.

Is a custom authenticator (step) the way to go? I have a doubt since I don’t need to add any user interactive steps to user creation. Any pointers to example implementations would be appreciated.

Thank you,

David

jblachly · October 13, 2022, 11:48pm

Unfortunately, you’ll probably need to write custom Java code hooking the event listener SPI:

https://www.keycloak.org/docs/latest/server_development/index.html#_events

This gets requested all the time, and it’s a shame there is not an easier mechanism (for example, ability to specify a webhook).

xgp · October 14, 2022, 7:48am

The event system in Keycloak does run (by default) as part of the same transaction, so if you throw an exception there, it should cause the whole transaction to fail.

the-dude · October 17, 2022, 11:55am

Hello @xgp ,

thank you for your reply. I found this open bug Transaction in event listener set to rollback only gets committed · Issue #9497 · keycloak/keycloak · GitHub - would this not prevent me from rolling back the transaction for user creation from an EventListener?

I am using the legacy distribution of Keycloak, version 16.1.

Regards,

David

xgp · October 17, 2022, 1:01pm

I’m not familiar with the use of setRollbackOnly(). It seems from the issue that this is a bug, and I haven’t noticed this in the past.

the-dude · October 17, 2022, 6:12pm

Thank you @xgp,

setRollbackOnly() or rollback() are the only ways I found to not persist the user in case something goes wrong inside the event listener and to handle this situation gracefully.

What is the more "standard why of doing this?

I tried throwing a simple RuntimeException but Keycloak (16.1) just spits out the error below - possibly because the thrown exception is supposed to be processed by the listener which threw it?

19:58:11,717 ERROR [org.keycloak.events.EventBuilder] (default task-1) Failed to send type to io.xxx.xxx.MyEventListenerProvider@4806f2d2: java.lang.RuntimeException
	at io.xxx.keycloak.event-listeners@0.0.1-SNAPSHOT//io.xxx.keycloak.MyEventListenerProvider.onEvent(MyEventListenerProvider.java:44)
	at org.keycloak.keycloak-server-spi-private@16.1.0//org.keycloak.events.EventBuilder.send(EventBuilder.java:229)
	at org.keycloak.keycloak-server-spi-private@16.1.0//org.keycloak.events.EventBuilder.success(EventBuilder.java:192)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.authentication.forms.RegistrationUserCreation.success(RegistrationUserCreation.java:140)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:252)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:144)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:950)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:312)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:656)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:712)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:690)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:60)
	at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
	at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at org.keycloak.keycloak-wildfly-extensions@16.1.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
	at org.keycloak.keycloak-services@16.1.0//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
	at org.keycloak.keycloak-wildfly-extensions@16.1.0//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.security.elytron-web.undertow-server@1.10.1.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
	at org.wildfly.security.elytron-base@1.18.1.Final//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
	at org.wildfly.security.elytron-base@1.18.1.Final//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
	at org.wildfly.security.elytron-base@1.18.1.Final//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
	at org.wildfly.security.elytron-web.undertow-server@1.10.1.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.core@2.2.14.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.core@2.2.14.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
	at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow@26.0.0.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow@26.0.0.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
	at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow@26.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at org.wildfly.extension.undertow@26.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at org.wildfly.extension.undertow@26.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at org.wildfly.extension.undertow@26.0.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
	at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
	at io.undertow.core@2.2.14.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
	at io.undertow.core@2.2.14.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at org.jboss.xnio@3.8.5.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
	at java.base/java.lang.Thread.run(Thread.java:829)

xgp · October 17, 2022, 7:08pm

You’re right. The exception just gets swallowed:

github.com

keycloak/keycloak/blob/main/server-spi-private/src/main/java/org/keycloak/events/EventBuilder.java#L226


      
                      Set<String> eventTypes = realm.getEnabledEventTypesStream().collect(Collectors.toSet());
                      if (!eventTypes.isEmpty() ? eventTypes.contains(event.getType().name()) : event.getType().isSaveByDefault()) {
                          store.onEvent(event);
                      }
                  }
          
          
        if (listeners != null) {
                      for (EventListenerProvider l : listeners) {
                          try {
                              l.onEvent(event);
                          } catch (Throwable t) {
                              log.error("Failed to send type to " + l, t);
                          }
                      }
                  }
              }
          
          
}

I had an incorrect assumption about how to force a transaction failure.

I’d recommend following that bug and asking on the mailing list or github discussions. The Keycloak maintainers don’t spend much time on this forum.

the-dude · October 17, 2022, 11:21pm

Ok thanks @xgp this matches what I saw when testing my code.

When I listen to admin user creation events through POST auth/admin/realms/$realm/users I can rollback user creation but the API response is 201 created with (the now deleted) user in the location header. Is there any way to propagate the fact that the user is no longer present to the API response?

  @Override
  public void onEvent(AdminEvent event, boolean includeRepresentation) {
    if (event.getResourceType().equals(ResourceType.USER) && event.getOperationType().equals(OperationType.CREATE)) {
      String userId = userIdFromResourcePath(event.getResourcePath());
      UserModel user = keycloakSession.users().getUserById(keycloakSession.getContext().getRealm(), userId);
      try {
        myRestClient.execute(user.getId(), user.getEmail());
      } catch (ClientException e) {
        logger.errorf("Something went wrong for user with ID %s", user.getId(), e);
        keycloakSession.getTransactionManager().rollback();
        return;
      }
    }
  }

nvkirankumar · March 20, 2023, 11:42am

Hi, I tried to make an HTTP request in keycloak event listener but it’s continuously failing with other dependency issues.

Can you pls share the myRestClient.execute code peice.

Thanks
Kiran

Topic		Replies	Views
Created user not immediately available on event Extending the server	10	6603	July 20, 2022
Callback (hook) on User creation Configuring the server	17	10845	May 20, 2022
EventListenerProvider : how to force the rollback? Extending the server	0	731	December 16, 2021
User creation through Keycloak REST API doesn't produce REGISTER event for SPI Getting advice authentication	2	1794	November 29, 2021
User Invitation after Create Getting advice	3	1725	March 21, 2023

Calling external REST API during user creation

Related topics