8:14 a.m.
Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie...
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I know the login was
successful but the application did not request this login (state is wrong), so it should
not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your cookies ;-)
Remove all parameters from the url after you received the bad request error and you should
get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>:
What I think is happening is that you have an invalid state cookie (as
per the oauth spec), you reload the app URL again and authentication is
successful. While I don't know why you are getting "No state cookie"
the rest makes sense as you're just going through a successful login.
On 1/9/2015 7:45 AM, Michael Gerber wrote:
Hi,
I have a strange behaviour with an invalid state param.
The server writes the following log, which is correct:
WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-17) No state cookie
After that I receive a 400 error in my browser with the following URL:
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd...
I can load this URL again and than I am successfully logged in.
Is this the correct behaviour?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:54 a.m.
New subject: Strange behaviour with invalid state param
This is actually expected behaviour. What happens is:
1. Copy/paste the login URL with the invalid state
2. Login to the SSO realm
3. Redirect back to the app which throws error due to invalid state
4. Now you're not logged-in to the application, but your logged in to the SSO realm
5. Remove the code param from the link which causes another redirect to login
6. As you're already logged in to the SSO realm you're immediately redirected back
to the app with a new code and state param
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 9 January, 2015 3:14:41 PM
Subject: [keycloak-dev] Re: Strange behaviour with invalid state param
Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie...
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I know
the login was successful but the application did not request this login
(state is wrong), so it should not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your
cookies ;-)
Remove all parameters from the url after you received the bad request error
and you should get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>:
What I think is happening is that you have an invalid state cookie (as
per the oauth spec), you reload the app URL again and authentication is
successful. While I don't know why you are getting "No state cookie"
the rest makes sense as you're just going through a successful login.
On 1/9/2015 7:45 AM, Michael Gerber wrote:
Hi,
I have a strange behaviour with an invalid state param.
The server writes the following log, which is correct:
WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-17) No state cookie
After that I receive a 400 error in my browser with the following URL:
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd...
I can load this URL again and than I am successfully logged in.
Is this the correct behaviour?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:49 a.m.
New subject: Strange behaviour with invalid state param
Is this correct flow?
1. You visit the URL
2. You log in
3. Keycloak sets in auth server cookie so you don't have to log in again
4. Keycloak redirects back to app
5. App checks state param vs. state cookie, fails
6. Human refreshes the bad request URL after removing some parameters
7. App redirects to Keycloak to start the Open ID Connect flow
8. keycloak checks cookie, the user is already logged in and redirects
back to app
9. You are logged in
Steps 6-9 are just normal Open ID Connect.
On 1/9/2015 9:14 AM, Michael Gerber wrote:
Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie...
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I
know the login was successful but the application did not request this
login (state is wrong), so it should not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your
cookies ;-)
Remove all parameters from the url after you received the bad request
error and you should get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>:
> What I think is happening is that you have an invalid state cookie (as
> per the oauth spec), you reload the app URL again and authentication is
> successful. While I don't know why you are getting "No state cookie"
> the rest makes sense as you're just going through a successful login.
>
> On 1/9/2015 7:45 AM, Michael Gerber wrote:
>> Hi,
>> I have a strange behaviour with an invalid state param.
>> The server writes the following log, which is correct:
>> WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-17) No state cookie
>> After that I receive a 400 error in my browser with the following URL:
>>
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd...
>> I can load this URL again and than I am successfully logged in.
>> Is this the correct behaviour?
>> Best
>> Michael
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3656
days inactive
3659
days old
2 comments
3 participants
participants (3)
-
Bill Burke -
Michael Gerber -
Stian Thorgersen