Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?clie...
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I know the login was
successful but the application did not request this login (state is wrong), so it should
not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your cookies ;-)
Remove all parameters from the url after you received the bad request error and you should
get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke(a)redhat.com>:
What I think is happening is that you have an invalid state cookie (as
per the oauth spec), you reload the app URL again and authentication is
successful. While I don't know why you are getting "No state cookie"
the rest makes sense as you're just going through a successful login.
On 1/9/2015 7:45 AM, Michael Gerber wrote:
Hi,
I have a strange behaviour with an invalid state param.
The server writes the following log, which is correct:
WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-17) No state cookie
After that I receive a 400 error in my browser with the following URL:
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40Zd...
I can load this URL again and than I am successfully logged in.
Is this the correct behaviour?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev