[keycloak-user] Reset credentials flow loses context if browser cookie not present

Jerry Saravia jerry.saravia at virginpulse.com
Thu Mar 1 14:59:15 EST 2018


NOTE: This is a potential double posting since I posted on Feb 28th and thought this might be lost since we’re in March now. Apologies in advance.

Hey all,

I ran into an issue.

Suppose I go to my keycloak instance with this url ` auth/realms/myrealm /login-actions/reset-credentials?client_id=my_client_id`.

The reset email gets sent after entering my email. However, if I copy that link and open it in a separate browser session it fails to maintain the the client_id used in the original request. Instead it switches to client_id = account.

I know why this happens. In LoginActionsService there is this

@Path(RESET_CREDENTIALS_PATH)
@GET
public Response resetCredentialsGET(@QueryParam("code") String code,
                                    @QueryParam("execution") String execution,
                                    @QueryParam("client_id") String clientId) {
    AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm);

    // we allow applications to link to reset credentials without going through OAuth or SAML handshakes
    if (authSession == null && code == null) {
        if (!realm.isResetPasswordAllowed()) {
            event.event(EventType.RESET_PASSWORD);
            event.error(Errors.NOT_ALLOWED);
            return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);

        }
        authSession = createAuthenticationSessionForClient();
        return processResetCredentials(false, null, authSession, null);
    }

    event.event(EventType.RESET_PASSWORD);
    return resetCredentials(code, execution, clientId);
}


The getCurrentAuthenticationSession method checks a cookie to get the session, which isn’t present in a fresh browser session. Afterward, the `createAutenticationSessionForClient` doesn’t use the clientId query parameter and defaults to the account client.

Is this a bug? A security issue?

I couldn’t find a bug for it in Jira. Should I create a bug and fix it? It’s not easy to overwrite this but if you have any workarounds let me know. My current approach is going to be to attempt to create a realm resource that exhibits the right behavior.

Jerry S


Jerry Saravia
Senior Software Engineer
P (516) 603-6914
virginpulse.com
globalchallenge.virginpulse.com
75 Fountain Street, Suite 310, Providence, RI 02902
Australia | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this
e-mail, including any attachment(s), is intended solely for use by the
designated recipient(s). Unauthorized use, dissemination, distribution, or
reproduction of this message by anyone other than the intended recipient(s), or
a person designated as responsible for delivering such messages to the intended
recipient, is strictly prohibited and may be unlawful. This e-mail may contain
proprietary, confidential or privileged information. Any views or opinions
expressed are solely those of the author and do not necessarily represent those
of Virgin Pulse, Inc. If you have received this message in error, or are not
the named recipient(s), please immediately notify the sender and delete this
e-mail message.    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image849887.jpg
Type: image/jpeg
Size: 114273 bytes
Desc: image849887.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image932556.png
Type: image/png
Size: 691 bytes
Desc: image932556.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image803465.png
Type: image/png
Size: 710 bytes
Desc: image803465.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image995202.png
Type: image/png
Size: 783 bytes
Desc: image995202.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180301/0d69bdc2/attachment-0005.png 


More information about the keycloak-user mailing list