[keycloak-dev] Rest password can cause cookie not found
Bill Burke
bburke at redhat.com
Mon Jan 26 10:54:35 EST 2015
On 1/26/2015 8:45 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, January 26, 2015 2:27:30 PM
>> Subject: Re: [keycloak-dev] Rest password can cause cookie not found
>>
>> Wouldn't this work?
>>
>> 1) store "state" of state cookie in user session.
>> 2) embed user session and state of state cookie in URL
>>
>> Of course this screws up your "shorter URL" crusade.
>
> I'm not following - the problem isn't remembering the state variable in Keycloak, that's already sorted as we already store all the query params passed by the client in the client session (state, redirect_uri, etc). The problem is storing it on the adapter side.
>
I think I get it...
1. Send email
2. Close browser
3. Open browser
4. Click email link
5. Reset password
6. Redirect back to app
7. App barfs because of state cookie
Persistent state cookie sounds like cleanest and simplest solution. I
just worry we'll introduce different bugs, or if we're opening up some
kind of security hole. Maybe I'm just paranoid.
Another possibility:
* Maybe set a auth server session cookie. If that cookie isn't set,
just redirect to a auth server page that says "Password was reset" and
don't redirect back to the application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list