-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keycloak Doesn't work with certain passwords (postgres) #14060
Comments
I am also having this issue. It's crazy annoying |
@gerethd @Ayobama Thanks for the report! Can you please try it with the latest 19.0.1 release? In any case, please consider using another config method (like env variable or config file) as providing password through CLI in plain text is considered insecure. |
FTR: this is not a general bug in newer versions.
So @Ayobama @gerethd I strongly suggest you to update Keycloak to use the |
For starters no this was not hardcoded/passed in via the cli, this was a kubernetes secret/docker secret mounted as a file within the container, and passed in at runtime, and was simplified to the above to make it easier for your team to address/see what was occuring. I have updated multiple times since then as there have been multiple releases since then. When this was initially posted this was the latest version available or close to it. As a user of this product I find it quite worrisome there wasn't so much as an acknowledgement from the team for more than 6 months of this issue. I would hope this is more a 'slipped through the cracks' kind of scenario and not the norm |
omfg, I've wasted few hours trying to figure why connection to cloud sql is not working. This was main reason... I'm using latest version 23.0.6. |
Hello @shawkins I had the same problem with the special characters { }. It took me a long time to solve this trivial problem. Thanks to this problem at stackoverflow. It is quite strange that the log says that the problem is caused by Hibernate and not by password check. Maybe it would be better to add password validation logging before the Hibernate? P.S. I would love to make my first contribution to an open source project, but due to time limitations I can't. |
@nehalandrew please start new issue(s) for this. There are a couple of things being brought up here:
Also adding a link here to the latest quarkus issue to be captured on $$: quarkusio/quarkus#41883 - there is a further upstream fix proposed: smallrye/smallrye-common#344 |
The env variable is used to fulfill the configuration file with the password. If you look at the config file you'll be able to see how the pass was interpretated. In the example below: ~$ kubectl -n keycloak get secret keycloak-env-secret -o custom-columns=:.data.KEYCLOAK_DATABASE_PASSWORD | base64 -d
ABc!DEF123456&%ghij
~$ kubectl -n keycloak exec keycloak-0 -- grep db-password /opt/bitnami/keycloak/conf/keycloak.conf
# The password of the database user.
db-password = ABc!DEF123456#db-password=password%ghij Removing the problematic characters ($ & * ? etc.) from the password is one of the possible solution. Another possibility is backslash them (this one I didn't tested): ~$ echo -n 'ABc!DEF123456\&%ghij' | base64
QUJjIURFRjEyMzQ1NlwmJWdoaWo=
~$ echo QUJjIURFRjEyMzQ1NlwmJWdoaWo= | base64 -d
ABc!DEF123456\&%ghij |
Describe the bug
using the password
y3xc8%VpZ8W*RRSF7X$$zA5d
keycloak was unable to connect to my postgres (specifically postgres 14) database. After verifying the password was indeed correct via cmdline pgsql, I believe this may have to do with there being a$
or two in the string. Changing the password on the database and in keycloak to one lacking the$$
caused it to work first try.Version
latest tag as of writing
Expected behavior
I expect keycloak to connect.
Actual behavior
How to Reproduce?
Docker image
Anything else?
This isn't a game breaking bug but it is rather annoying to troubleshoot, Dockerfile given is as close as i can gicew without providing access to proprietary resources, in this case access to my keyvault and private CA Authority.
The text was updated successfully, but these errors were encountered: