NullPointerException/HTTP 500 on creating a user with empty password

[Stollin, Thomas]

Hi everyone,

 

we are currently running Keycloak 6.0.1 with some automated tests for our config. Our realm has a password minimum length set to 10. So one of our tests tries to create a user with the empty password “”.

 

With Keycloak 6.0.1 we are getting HTTP 407 Conflict and a suitable exception message. This is the expected behavior of the test.

 

After updating to Keycloak 8.0.1 the behavior changed and we were getting HTTP 500 and the response {"error":"unknown_error"}.

The logs show the attached stacktrace caused by a NullPointerException.

Creating a user with another invalid, but not empty password (e.g. “soShort”) shows the expected behavior.

 

I was able to recreate this by using a plain local Keycloak 8.0.1 with the password minimum length of the master realm set to 8 and the call:

curl --dump-header -  -X POST \

-H "Authorization: Bearer <TOKEN>" \

-H "Content-Type: application/json; charset=utf-8" \

-d '{"id" : "test", "email" : "te...@gmail.com", "username": "test", "credentials": [{"temporary": false, "type": "password", "value":""}]}' \

"http://localhost:8080/auth/admin/realms/master/users"

 

(replace <TOKEN> with a valid admin-cli master realm token)

 

So my question is whether this this change was intended or whether this is a bug?

 

cheers,

Thomas :)

 

 

 

[Jan Lieskovsky]

Hello Thomas,

Looks like bug to me from a brief look AFAICT. Even in the scenario you describe above, the expected

output would be to raise some warning "Provided user password doesn't meet the required criteria" or

something like that. This would be more appropriate than return HTTP 500 (Internal server error) and

crash.

Please file a JIRA for that (if there doesn't exist a reported one with the same defect already).

 

 

cheers,

Thomas :)

Thank you && Regards, Jan

--

Jan iankko Lieskovsky / Keycloak / RH-SSO Team

 

 

 

 

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/8259ddfb95364e48b963905b0a87c43e%40demuc-srve15mb2.interhyp-intern.de.