[keycloak-dev] Strange behaviour with invalid state param
Bill Burke
bburke at redhat.com
Mon Jan 12 08:49:05 EST 2015
Is this correct flow?
1. You visit the URL
2. You log in
3. Keycloak sets in auth server cookie so you don't have to log in again
4. Keycloak redirects back to app
5. App checks state param vs. state cookie, fails
6. Human refreshes the bad request URL after removing some parameters
7. App redirects to Keycloak to start the Open ID Connect flow
8. keycloak checks cookie, the user is already logged in and redirects
back to app
9. You are logged in
Steps 6-9 are just normal Open ID Connect.
On 1/9/2015 9:14 AM, Michael Gerber wrote:
> Someone in our company bookmarked the login URL
> https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?client_id=uka-solutions&redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Findex.html&state=1%2Ff761c116-eef1-4744-b40d-792cd14c1386&login=true
> And he reported this behaviour.
>
> I dont understand why the login is permitted with an invalid state. I
> know the login was successful but the application did not request this
> login (state is wrong), so it should not allow it.
>
> @stian
> this behaviour is easy reproducible.
> Open the customer-portal example app in a browser, copy the login url.
> Close the browser and open it again and use the old url. (or clear your
> cookies ;-)
> Remove all parameters from the url after you received the bad request
> error and you should get in.
>
>
> Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke at redhat.com>:
>
>> What I think is happening is that you have an invalid state cookie (as
>> per the oauth spec), you reload the app URL again and authentication is
>> successful. While I don't know why you are getting "No state cookie"
>> the rest makes sense as you're just going through a successful login.
>>
>> On 1/9/2015 7:45 AM, Michael Gerber wrote:
>>> Hi,
>>> I have a strange behaviour with an invalid state param.
>>> The server writes the following log, which is correct:
>>> WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>>> task-17) No state cookie
>>> After that I receive a 400 error in my browser with the following URL:
>>> https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&state=dc-4d82-b0c9-d434b917dfce
>>> I can load this URL again and than I am successfully logged in.
>>> Is this the correct behaviour?
>>> Best
>>> Michael
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list