[keycloak-dev] Strange behaviour with invalid state param

Stian Thorgersen stian at redhat.com
Mon Jan 12 04:54:18 EST 2015 

This is actually expected behaviour. What happens is:

1. Copy/paste the login URL with the invalid state
2. Login to the SSO realm
3. Redirect back to the app which throws error due to invalid state
4. Now you're not logged-in to the application, but your logged in to the SSO realm
5. Remove the code param from the link which causes another redirect to login
6. As you're already logged in to the SSO realm you're immediately redirected back to the app with a new code and state param


----- Original Message -----
> From: "Michael Gerber" <gerbermichi at me.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 9 January, 2015 3:14:41 PM
> Subject: [keycloak-dev]  Re:  Strange behaviour with invalid state param
> 
> Someone in our company bookmarked the login URL
> https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?client_id=uka-solutions&redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Findex.html&state=1%2Ff761c116-eef1-4744-b40d-792cd14c1386&login=true
> And he reported this behaviour.
> 
> I dont understand why the login is permitted with an invalid state. I know
> the login was successful but the application did not request this login
> (state is wrong), so it should not allow it.
> 
> @stian
> this behaviour is easy reproducible.
> Open the customer-portal example app in a browser, copy the login url.
> Close the browser and open it again and use the old url. (or clear your
> cookies ;-)
> Remove all parameters from the url after you received the bad request error
> and you should get in.
> 
> 
> Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke at redhat.com>:
> 
> 
> 
> 
> What I think is happening is that you have an invalid state cookie (as
> per the oauth spec), you reload the app URL again and authentication is
> successful. While I don't know why you are getting "No state cookie"
> the rest makes sense as you're just going through a successful login.
> 
> On 1/9/2015 7:45 AM, Michael Gerber wrote:
> 
> 
> Hi,
> 
> 
> 
> I have a strange behaviour with an invalid state param.
> 
> 
> 
> The server writes the following log, which is correct:
> 
> WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
> 
> task-17) No state cookie
> 
> 
> 
> After that I receive a 400 error in my browser with the following URL:
> 
> https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&state=dc-4d82-b0c9-d434b917dfce
> 
> 
> 
> I can load this URL again and than I am successfully logged in.
> 
> 
> 
> Is this the correct behaviour?
> 
> 
> 
> Best
> 
> Michael
> 
> 
> 
> 
> 
> _______________________________________________
> 
> keycloak-dev mailing list
> 
> keycloak-dev at lists.jboss.org
> 
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list