[keycloak-dev] Rest password can cause cookie not found

Bill Burke bburke at redhat.com
Mon Jan 26 14:49:14 EST 2015



On 1/26/2015 1:31 PM, Michael Gerber wrote:
>
>> Am 26.01.2015 um 18:36 schrieb Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>>:
>>
>>
>>
>> On 1/26/2015 12:12 PM, Michael Gerber wrote:
>>>
>>>> Am 26.01.2015 um 16:54 schrieb Bill Burke <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>>:
>>>>
>>>>
>>>>
>>>>> On 1/26/2015 8:45 AM, Stian Thorgersen wrote:
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>>
>>>>>> To: keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>>> Sent: Monday, January 26, 2015 2:27:30 PM
>>>>>> Subject: Re: [keycloak-dev] Rest password can cause cookie not found
>>>>>>
>>>>>> Wouldn't this work?
>>>>>>
>>>>>> 1) store "state" of state cookie in user session.
>>>>>> 2) embed user session and state of state cookie in URL
>>>>>>
>>>>>> Of course this screws up your "shorter URL" crusade.
>>>>>
>>>>> I'm not following - the problem isn't remembering the state
>>>>> variable in Keycloak, that's already sorted as we already store all
>>>>> the query params passed by the client in the client session (state,
>>>>> redirect_uri, etc). The problem is storing it on the adapter side.
>>>>
>>>> I think I get it...
>>>>
>>>>
>>>> 1. Send email
>>>> 2. Close browser
>>>> 3. Open browser
>>>> 4. Click email link
>>>> 5. Reset password
>>>> 6. Redirect back to app
>>>> 7. App barfs because of state cookie
>>>>
>>>>
>>>> Persistent state cookie sounds like cleanest and simplest solution. I
>>>> just worry we'll introduce different bugs, or if we're opening up some
>>>> kind of security hole.  Maybe I'm just paranoid.
>>> That doesn't work if the user uses two different browsers. This is
>>> the case in a lot of companies (at least in Switzerland :)) where the
>>> users are forced to use ie (default) but rather work with firefox.
>>
>> Unless we extend the protocol, or don’t redirect from the email, I
>> don’t see a fix.
>
> If the password reset process would redirect without the code and state
> param, than the adapter would redirect back to the keycloak, and
> keycloak can authenticate the user with its identity cookie…
> But I don’t know if that is ok with the protocol.
>

So maybe have a session cookie that is set by the auth server.  If that 
cookie is set when clicking the email url, redirect with code, if not, 
redirect without it.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list