Someone in our company bookmarked the login URL

https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?client_id=uka-solutions&redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Findex.html&state=1%2Ff761c116-eef1-4744-b40d-792cd14c1386&login=true

And he reported this behaviour.

I dont understand why the login is permitted with an invalid state. I know the login was successful but the application did not request this login (state is wrong), so it should not allow it.

@stian

this behaviour is easy reproducible.

Open the customer-portal example app in a browser, copy the login url.

Close the browser and open it again and use the old url. (or clear your cookies ;-)

Remove all parameters from the url after you received the bad request error and you should get in.

What I think is happening is that you have an invalid state cookie (as
per the oauth spec), you reload the app URL again and authentication is
successful. While I don't know why you are getting "No state cookie"
the rest makes sense as you're just going through a successful login.

On 1/9/2015 7:45 AM, Michael Gerber wrote:
Hi,
I have a strange behaviour with an invalid state param.
The server writes the following log, which is correct:
WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-17) No state cookie
After that I receive a 400 error in my browser with the following URL:
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&state=dc-4d82-b0c9-d434b917dfce
I can load this URL again and than I am successfully logged in.
Is this the correct behaviour?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev