Is this correct flow?
1. You visit the URL
2. You log in
3. Keycloak sets in auth server cookie so you don't have to log in again
4. Keycloak redirects back to app
5. App checks state param vs. state cookie, fails
6. Human refreshes the bad request URL after removing some parameters
7. App redirects to Keycloak to start the Open ID Connect flow
8. keycloak checks cookie, the user is already logged in and redirects
back to app
9. You are logged in
Steps 6-9 are just normal Open ID Connect.
On 1/9/2015 9:14 AM, Michael Gerber wrote:
Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie...
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I
know the login was successful but the application did not request this
login (state is wrong), so it should not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your
cookies ;-)
Remove all parameters from the url after you received the bad request
error and you should get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>:
> What I think is happening is that you have an invalid state cookie (as
> per the oauth spec), you reload the app URL again and authentication is
> successful. While I don't know why you are getting "No state cookie"
> the rest makes sense as you're just going through a successful login.
>
> On 1/9/2015 7:45 AM, Michael Gerber wrote:
>> Hi,
>> I have a strange behaviour with an invalid state param.
>> The server writes the following log, which is correct:
>> WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-17) No state cookie
>> After that I receive a 400 error in my browser with the following URL:
>>
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd...
>> I can load this URL again and than I am successfully logged in.
>> Is this the correct behaviour?
>> Best
>> Michael
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com