Re: Strange behaviour with invalid state param
by Michael Gerber
Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie...
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I know the login was successful but the application did not request this login (state is wrong), so it should not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your cookies ;-)
Remove all parameters from the url after you received the bad request error and you should get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>:
What I think is happening is that you have an invalid state cookie (as
per the oauth spec), you reload the app URL again and authentication is
successful. While I don't know why you are getting "No state cookie"
the rest makes sense as you're just going through a successful login.
On 1/9/2015 7:45 AM, Michael Gerber wrote:
Hi,
I have a strange behaviour with an invalid state param.
The server writes the following log, which is correct:
WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-17) No state cookie
After that I receive a 400 error in my browser with the following URL:
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd...
I can load this URL again and than I am successfully logged in.
Is this the correct behaviour?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10 years
Re: A disabled user receives a confusing info message, if he tries to reset his password
by Michael Gerber
Unfortunately, it isn't implemented like that.
Have a look at the authenticateInternal method of the AuthenticationManager class.
AuthenticationStatus.ACCOUNT_DISABLED;
is returned before the validCredentials method is invoked.
Best
Michael
Am 12. Januar 2015 um 12:25 schrieb Stian Thorgersen <stian(a)redhat.com>:
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 12 January, 2015 11:20:02 AM
Subject: Re: [keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password
Thank you, that sounds logical.
I just wondered, because you have a different error message for disabled
users on the login screen.
"Account is disabled, contact admin"
That should only be shown after a user has logged in with valid username/password, if you try to login with an invalid password and disabled user it should show invalid username/password.
Best
Michael
Am 12. Januar 2015 um 10:45 schrieb Stian Thorgersen <stian(a)redhat.com>:
This is intentional. If we provide specific error messages on reset password
it can be used to find out whether or not a username/email is valid. Same
applies to login, instead of saying invalid username it just says invalid
username or password.
As an improvement we could extend the message to say if you haven't received
a message within a certain time, then retry or contact an admin/support.
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 9 January, 2015 4:01:49 PM
Subject: [keycloak-dev] A disabled user receives a confusing info message, if
he tries to reset his password
A disabled user receives the following info message, if he tries to reset his
password:
You should receive an email shortly with further instructions.
This is a bit confusing. A message like that would be nicer:
Failed to send email, please contact the administrator.
I will create a PR if that is ok with you?
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10 years
Re: A disabled user receives a confusing info message, if he tries to reset his password
by Michael Gerber
Thank you, that sounds logical.
I just wondered, because you have a different error message for disabled users on the login screen.
"Account is disabled, contact admin"
Best
Michael
Am 12. Januar 2015 um 10:45 schrieb Stian Thorgersen <stian(a)redhat.com>:
This is intentional. If we provide specific error messages on reset password it can be used to find out whether or not a username/email is valid. Same applies to login, instead of saying invalid username it just says invalid username or password.
As an improvement we could extend the message to say if you haven't received a message within a certain time, then retry or contact an admin/support.
----- Original Message -----
From: "Michael Gerber" <gerbermichi(a)me.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 9 January, 2015 4:01:49 PM
Subject: [keycloak-dev] A disabled user receives a confusing info message, if he tries to reset his password
A disabled user receives the following info message, if he tries to reset his
password:
You should receive an email shortly with further instructions.
This is a bit confusing. A message like that would be nicer:
Failed to send email, please contact the administrator.
I will create a PR if that is ok with you?
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10 years
Master bumped to 1.2.0.Beta1-SNAPSHOT
by Stian Thorgersen
I created 1.1.x branch for 1.1.0.Final release and bumped master to 1.2.0.Beta1-SNAPSHOT
So go ahead and start work on 1.2 features :)
There's still some issues left to do for 1.1.0.Final, which me and Marek will sort out. I'm aiming to release in a few days. If there's anything you'd like to add to 1.1.0-Final please let me know in advance.
10 years
HA Support For Keycloak
by Lakshmi Narayana VADALI (lvadali)
Hi ,
Does Keycloak1.0.4_Final has HA Support? If not, then from which release Keycloak HA support is available?
Thanks,
Lakshmi Narayana V
10 years
Keycloak in JBoss projects
by Stian Thorgersen
There's a lot of JBoss projects already integrating or looking at using Keycloak:
* AeroGear UPS
* LiveOak
* RTGov
* Hawt.io
* Fabric8
* Fuse
* S-RAMP
* APIMan
* ...
I think now is the time to make sure we can provide the best and consistent experience for all projects. With that regards there's improvements we can make:
* Embeddable Keycloak - provide a slimmed down profile of Keycloak that can easily be embedded into existing projects. The big question here is should we support deploying to other containers than WildFly? I reckon as long as projects support other projects and we want to be the main auth solution we do. I'd hate to see projects having to provide alternative mechanisms themselves to continue to support Tomcat for example
* External Keycloak - make it simpler to link a project to an external Keycloak, including sharing the master realm for SSO to all consoles
* Configuration - for both embeddable and external we need to make it easier for projects to bootstrap and update application configuration (for example if hostname changes)
* Unified console - we need to align better with PatternFly and RCUE. We should also provide a mechanism for linking between consoles
10 years
Build on top of Vert.x?
by Bill Burke
Don't care that much at all about AIO, but what is compelling to me
about Vert.x is that it is a polyglot platform. If our SPIs could be
written in any language and deployed easily this would be a huge win and
could potential bring together very diverse communities (node.js and
linux-python-admins).
Something to think about for Keycloak 2.0.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years
