<html><body><div><div>Someone in our company bookmarked the login URL</div><div>https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?client_id=uka-solutions&amp;redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Findex.html&amp;state=1%2Ff761c116-eef1-4744-b40d-792cd14c1386&amp;login=true</div><div>And he reported this behaviour.</div><div><br></div><div>I dont understand why the login is permitted with an invalid state. I know the login was successful but the application did not request this login (state is wrong), so it should not allow it.</div><div><br></div><div>@stian</div><div>this behaviour is easy reproducible.</div><div>Open the customer-portal example app in a browser, copy the login url.</div><div>Close the browser and open it again and use the old url. (or clear your cookies ;-)</div><div>Remove all parameters from the url after you received the bad request error and you should get in.</div><div><br></div></div><div><br>Am 09. Januar 2015 um 14:41 schrieb Bill Burke &lt;bburke@redhat.com&gt;:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content">What I think is happening is that you have an invalid state cookie (as <br>per the oauth spec), you reload the app URL again and authentication is <br>successful. While I don't know why you are getting "No state cookie" <br>the rest makes sense as you're just going through a successful login.<br><br>On 1/9/2015 7:45 AM, Michael Gerber wrote:<br></span></span><blockquote class="quoted-plain-text" type="cite">Hi,</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">I have a strange behaviour with an invalid state param.</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">The server writes the following log, which is correct:</blockquote><blockquote class="quoted-plain-text" type="cite">WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default</blockquote><blockquote class="quoted-plain-text" type="cite">task-17) No state cookie</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">After that I receive a 400 error in my browser with the following URL:</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&amp;state=dc-4d82-b0c9-d434b917dfce" data-mce-href="https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&amp;state=dc-4d82-b0c9-d434b917dfce">https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&amp;state=dc-4d82-b0c9-d434b917dfce</a></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">I can load this URL again and than I am successfully logged in.</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">Is this the correct behaviour?</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">Best</blockquote><blockquote class="quoted-plain-text" type="cite">Michael</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak-dev mailing list</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><span class="body-text-content"><br>-- <br>Bill Burke<br>JBoss, a division of Red Hat<br><a href="http://bill.burkecentral.com" data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>_______________________________________________<br>keycloak-dev mailing list<br><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></span></div></div></blockquote></div></body></html>