<html><body><div><br></div><div><br>Am 26. Januar 2015 um 20:49 schrieb Bill Burke <bburke@redhat.com>:<br><br><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content"> <br> <br>On 1/26/2015 1:31 PM, Michael Gerber wrote:<br></span></span><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Am 26.01.2015 um 18:36 schrieb Bill Burke <<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a><div style="width:0px; height:0px;"> </div></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><mailto:<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>>>:</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">On 1/26/2015 12:12 PM, Michael Gerber wrote:</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Am 26.01.2015 um 16:54 schrieb Bill Burke <<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a><div style="width:0px; height:0px;"> </div></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><mailto:<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>>>:</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">On 1/26/2015 8:45 AM, Stian Thorgersen wrote:</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">----- Original Message -----</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">From: "Bill Burke" <<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a> <mailto:<a href="mailto:bburke@redhat.com" data-mce-href="mailto:bburke@redhat.com">bburke@redhat.com</a>>></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">To: <a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a> <mailto:<a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Sent: Monday, January 26, 2015 2:27:30 PM</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Subject: Re: [keycloak-dev] Rest password can cause cookie not found</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Wouldn't this work?</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">1) store "state" of state cookie in user session.</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">2) embed user session and state of state cookie in URL</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Of course this screws up your "shorter URL" crusade.</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">I'm not following - the problem isn't remembering the state</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">variable in Keycloak, that's already sorted as we already store all</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">the query params passed by the client in the client session (state,</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">redirect_uri, etc). The problem is storing it on the adapter side.</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">I think I get it...</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">1. Send email</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">2. Close browser</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">3. Open browser</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">4. Click email link</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">5. Reset password</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">6. Redirect back to app</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">7. App barfs because of state cookie</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Persistent state cookie sounds like cleanest and simplest solution. I</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">just worry we'll introduce different bugs, or if we're opening up some</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">kind of security hole. Maybe I'm just paranoid.</blockquote></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">That doesn't work if the user uses two different browsers. This is</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">the case in a lot of companies (at least in Switzerland :)) where the</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">users are forced to use ie (default) but rather work with firefox.</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Unless we extend the protocol, or don’t redirect from the email, I</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">don’t see a fix.</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><blockquote class="quoted-plain-text" type="cite">If the password reset process would redirect without the code and state</blockquote><blockquote class="quoted-plain-text" type="cite">param, than the adapter would redirect back to the keycloak, and</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak can authenticate the user with its identity cookie…</blockquote><blockquote class="quoted-plain-text" type="cite">But I don’t know if that is ok with the protocol.</blockquote><blockquote class="quoted-plain-text" type="cite"></blockquote><span class="body-text-content"><br>So maybe have a session cookie that is set by the auth server. If that <br>cookie is set when clicking the email url, redirect with code, if not, <br>redirect without it.<br> <br> </span></div></div></blockquote><span> </span><br><span>That sounds good, what do the other think about this fallback option? </span><br>I can update the JIRA issue if anybody is happy with that solution.<br><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><br> <br>-- <br>Bill Burke<br>JBoss, a division of Red Hat<br> <a href="http://bill.burkecentral.com" data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a> <br> </span></div></div></blockquote></div></div></body></html>