[keycloak-dev] POST to /realms/{realm}/account/password results in server 500
Daniel Baxter
daniel.baxter at cira.ca
Wed Mar 4 11:47:07 EST 2015
Hi,
I am trying to implement a remote user password change for the logged in user. This is a requirement for the protocol we are required to support which accepts xml formatted commands over a network port, one of which is a password change request. The user is logged in via a Direct Grant from the Remoting application and we have a full KeycloakPrincipal attached to each remote session. When I POST to the form at /realms/{realm}/account/password using a Bearer Auth the password does reset but I get a 500 status back from Keycloak. The issue is that it is trying to rebuild an html response from the 'password.ftl' template and it does not have a value for 'stateChecker'.
After reviewing the code on github I found that if you use Bearer Auth, AccountService.init() never initializes a value to stateChecker. So even though I passed one in as a cookie on the POST and inside the form itself it never gets read. The workaround is to use cookies only to handle the authentication mechanism; specifically KEYCLOAK_STATE_CHECKER and KEYCLOAK_IDENTITY and not include Bearer authentication at all. So there is a workaround and it requires the use of cookies only and not Bearer Auth. I know this is not really the intended use of the POST to this form (eg: using it like a REST endpoint), but if anyone else runs into this issue at least they can learn from what I found by searching the mailing list archives.
So this leaves me with a couple of questions
Why does using Bearer Auth not initialize some sort of value for stateChecker here (ie: Is this a bug)? When you use cookies it appears to even generate a value for stateChecker if none is found in the cookie.
What is the purpose of embedding it as a hidden input on the password change form? It appears to never get read when the form is processed anyways.
Thanks,
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150304/acc511fa/attachment.html
More information about the keycloak-dev
mailing list