[keycloak-user] redirect_uris in registration broken

[Matthias Kesternich]

Hello again,

I think I might have found the bug by looking at the source code and my tokens.

I'm looking at this file: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java . Especially lines 102 and 107.

The token from the verification mail contains this:

  "asid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee"

This contains the right client id ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient).

When I open that link, the code in lines 78-93 is triggered creating yet another token with a compound session id. That token looks like this:

  "oasid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee",
  "asid": "9449b12e-9364-43d9-a4ab-3f29e9fe1bdb.KbiccXfmQyE.453f147b-011f-4b40-a8c4-6bdac6eabc85"
  "compoundOriginalAuthenticationSessionId": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee",

You can see the client id in 'oasid' is ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient) while in 'asid' the client id '453f147b-011f-4b40-a8c4-6bdac6eabc85' points to the "account" client!

Now when I click the link with this token, lines 102-110 are triggered. There it checks whether the original authentication session id is present (is is) and then proceeds to the form with the *current* authSession. The current auth session will be taken from "asid" which features the wrong client "account"!

A potential fix might be to use the original authentication session in line 107 instead of the current one.

Is there anything I can do about this bug? Right now this means all users opening the mail in a new browser window/on a different device will be stuck on their accounts page and don't get back to the client they registered from.

Best,
-Matthias


Am 03.09.18, 18:30 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Matthias Kesternich" <keycloak-user-bounces at lists.jboss.org im Auftrag von matthias.kesternich at moneymeets.com>:

    Hello,
    
    if I perform the following steps, then the redirect_uris that are sent upon registration are just ignored:
    
    1. Register user with redirect_uri=myapp
    2. Receive the verification mail
    3. Clear your browser cache or switch to another browser. This step is very important!
    4. Open the link from the verification mail, see a tab open with the right redirect_uri in the url bar
    5. Click the button.
    6. Another registration verification tab opens which features redirect_uri=account
    7. Click the button
    8. Get redirected to the login form with redirect_uri = account
    9. Login
    10. Get redirect to the account page instead of myapp .
    
    Is this expected behavior? I also noticed that if you clear your browser cache then keycloak will show an additional screen for verification of the e-mail address plus the login screen. If I don't clear the browser cache I only get one verification screen and I am then redirected to my application.
    
    Should I file a bug report?
    
    Best,
    -Matthias
    
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user