<div dir="ltr">The reason it's failing after upgrading from 1.1 is the check of the redirect uri was added later. This is not a recent regression so we're not going to fix it for 1.8. We can look into it for 1.9 though if you create a JIRA.<div><br></div><div>My suspicion is that we may not be able to fix it. The problem could be that DeltaSpike is invoked prior to Keycloak adapter, which results in the following behavior:<br></div><div><br></div><div>1. DeltaSpike adds "dswid"</div><div>2. Keycloak adapter redirects to login page with redirect uri that includes dswid</div><div>3. Keycloak server authenticates users and redirects back to the application (including dswid)</div><div>4. DeltaSpike removes "dswid"</div><div>5. Keycloak adapter tries to obtain token using redirect_uri param without dswid, which is rejected</div><div><br></div><div>Step 5 is a step that we can't remove as it's required by the OpenID Connect specification. It's there to prevent potential attacks.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 20 January 2016 at 18:17, Christian Beikov <span dir="ltr"><<a href="mailto:christian.beikov@gmail.com" target="_blank">christian.beikov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
we have a problem since Keycloak 1.8.0.CR1 that we didn't have in<br>
1.1.0.Final.<br>
The problem appears when accessing a secured JSF page that uses<br>
DeltaSpike. DeltaSpike redirects the initial request to append a query<br>
param to the path called "dswid". When accesing a secured page, the<br>
Keycloak adapter also does some redirects and adds the redirect uri,<br>
this time the one already including the dswid, into the client session,<br>
but redirects the browser to a URL that includes a redirect uri that<br>
does not contain the dswid. The authentication process fails here:<br>
<a href="https://github.com/keycloak/keycloak/blob/1.8.0.CR1/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L231" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/blob/1.8.0.CR1/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L231</a><br>
<br>
Since it worked earlier, I guess this is a bug. The actual problem is<br>
the mismatch between the redirect uri stored in the session and the<br>
redirect uri returned to the browser. Hope you can fix this for 1.8.0.Final<br>
<br>
Regards,<br>
Christian<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>