[keycloak-user] State mismatch on oidc-client login

[Sebastien Blanc]

Which version of Keycloak are you using ?

When I wait too long on kc 5.0.0, it brings me back to the login page with
the warning "You took too long to login. Login process starting from
beginning." Isn't that what you want ?

On Wed, Apr 10, 2019 at 10:40 AM Georgi Matev <
georgi.matev at dominodatalab.com> wrote:

> We have a realm with an openid-connect client configured to provide
> authentication for an application using Keycloak. The application is using
> the Keycloak hosted login page to handle auth redirects. We have this
> working well except that when one stays on the login page a little longer,
> the authentication attempt fails with a state mismatch error.
>
> We understand the protection this provides. To handle it gracefully, we
> redirect the user back to login when the mismatch is detected. This creates
> a weird user experience, where the user just entered their credentials and
> seemingly nothing happened the first time but succeeds the second time.
>
> Have not been able to figure out how to do the following
>
> (1) Pass some parameter indicating that the mismatched state happened so
> that when we get back to the login redirect the second time, we can use the
> parameter to trigger an appropriate message on the login page (through
> customizing the theme) to indicate that the user took too long to login. We
> have tried adding URL parameters when redirecting back to login but this
> has not worked since these get stripped.
>
> (2) What setting in Keycloak determines how long the state parameter from
> the login redirect is valid. Played with long values for "Client login
> timeout", "Login timeout", "Login action timeout" under Tokens in the Realm
> but none of these seems to help.
>
> Any advice would be much appreciated.
>
> Thanks,
> -Georgi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>