The stateChecker exists to protect against CSRF browser attacks. I
think we can ignore this check if the request is bearer authenticated.
Submit a JIRA please?
On 3/4/2015 11:47 AM, Daniel Baxter wrote:
Hi,
I am trying to implement a remote user password change for the logged
in user. This is a requirement for the protocol we are required to
support which accepts xml formatted commands over a network port, one of
which is a password change request. The user is logged in via a Direct
Grant from the Remoting application and we have a full KeycloakPrincipal
attached to each remote session. When I POST to the form at
/realms/{realm}/account/password using a Bearer Auth the password does
reset but I get a 500 status back from Keycloak. The issue is that it is
trying to rebuild an html response from the ‘password.ftl’ template and
it does not have a value for ‘stateChecker’.
After reviewing the code on github I found that if you use Bearer Auth,
AccountService.init() never initializes a value to stateChecker. So even
though I passed one in as a cookie on the POST and inside the form
itself it never gets read. The workaround is to use cookies only to
handle the authentication mechanism; specifically KEYCLOAK_STATE_CHECKER
and KEYCLOAK_IDENTITY and not include Bearer authentication at all. So
there is a workaround and it requires the use of cookies only and not
Bearer Auth. I know this is not really the intended use of the POST to
this form (eg: using it like a REST endpoint), but if anyone else runs
into this issue at least they can learn from what I found by searching
the mailing list archives.
So this leaves me with a couple of questions
Why does using Bearer Auth not initialize some sort of value for
stateChecker here (ie: Is this a bug)? When you use cookies it appears
to even generate a value for stateChecker if none is found in the cookie.
What is the purpose of embedding it as a hidden input on the password
change form? It appears to never get read when the form is processed
anyways.
Thanks,
Daniel
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com