1:37 a.m.
Hi all,
I just discovered that the action url of the login-form seems to get HTML
encoded and I woundered, if thats a bug or a feature.
In
https://github.com/keycloak/keycloak/blob/4.1.0.Final/themes/src/main/res...
you can see the following line:
<form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
action="${url.loginAction}" method="post">
On my instance, this resolves to something similar to this:
<form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
action="
https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/authenticate?se...
method="post">
All "&" are encoded as &. This became an issue for me, when I tried
to
call the url via JavaScripts fetch method. With the same URL, I got a
sevrer error. When changing the URL to:
fetch("${url.loginAction?no_esc}", ...)
it finally worked.
Shouldn't all form-urls and href-urls not be escacped? What makes me wonder
is, that the same URL just works for regular post requests! For
documentation on escaping you can find more information here:
https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_qui...
Greetings,
Felix
--
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
6:38 p.m.
On 7/18/2018 2:37 AM, Felix Meißner wrote:
Hi all,
I just discovered that the action url of the login-form seems to get HTML
encoded and I woundered, if thats a bug or a feature.
It's a security feature.
We take advantage of FreeMarker's "escape by
default" feature. As you discovered, you can use ?no_esc to turn this off.
I'm kind of interested in why fetch() didn't work. The escaped version
should be valid as a URL.
In
https://github.com/keycloak/keycloak/blob/4.1.0.Final/themes/src/main/res...
you can see the following line:
<form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
action="${url.loginAction}" method="post">
On my instance, this resolves to something similar to this:
<form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
action="
https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/authenticate?se...
method="post">
All "&" are encoded as &. This became an issue for me, when I tried
to
call the url via JavaScripts fetch method. With the same URL, I got a
sevrer error. When changing the URL to:
fetch("${url.loginAction?no_esc}", ...)
it finally worked.
Shouldn't all form-urls and href-urls not be escacped? What makes me wonder
is, that the same URL just works for regular post requests! For
documentation on escaping you can find more information here:
https://freemarker.apache.org/docs/dgui_quickstart_template.html#dgui_qui...
Greetings,
Felix
3:44 a.m.
I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I cannot
find any facts on how URLs should be encoded inside HTML, so maybe I am
wrong.
The problem occured, when I used a HTML-encoded URL inside JavaScript.
There, the URL will not be decoded before its sent to the server. When used
in a form however, the browser will decode the URL before sending it.
2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert(a)redhat.com>:
On 7/18/2018 2:37 AM, Felix Meißner wrote:
> Hi all,
>
> I just discovered that the action url of the login-form seems to get HTML
> encoded and I woundered, if thats a bug or a feature.
It's a security feature. We take advantage of FreeMarker's "escape by
default" feature. As you discovered, you can use ?no_esc to turn this off.
I'm kind of interested in why fetch() didn't work. The escaped version
should be valid as a URL.
>
> In
> https://github.com/keycloak/keycloak/blob/4.1.0.Final/
themes/src/main/resources/theme/base/login/login.ftl
> you can see the following line:
>
> <form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
> action="${url.loginAction}" method="post">
>
> On my instance, this resolves to something similar to this:
>
> <form id="kc-form-login" onsubmit="login.disabled = true; return
true;"
> action="
> https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/
authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89
Xabvspm7nmubc&execution=5c933fb0-b637-4462-a603-
bf9ffb601220&client_id=security-admin-console&tab_id=2tJInt2M5NE"
> method="post">
>
> All "&" are encoded as &. This became an issue for me, when I
tried
to
> call the url via JavaScripts fetch method. With the same URL, I got a
> sevrer error. When changing the URL to:
>
> fetch("${url.loginAction?no_esc}", ...)
>
> it finally worked.
>
> Shouldn't all form-urls and href-urls not be escacped? What makes me
wonder
> is, that the same URL just works for regular post requests! For
> documentation on escaping you can find more information here:
> https://freemarker.apache.org/docs/dgui_quickstart_template.
html#dgui_quickstart_template_autoescaping
>
> Greetings,
> Felix
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
5:28 a.m.
What are you actually trying to do? Are you scraping the url from the login
form? That's not really something you should be doing.
On Thu, 19 Jul 2018 at 10:46, Felix Meißner <felix.meissner(a)hanko.io> wrote:
I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I
cannot
find any facts on how URLs should be encoded inside HTML, so maybe I am
wrong.
The problem occured, when I used a HTML-encoded URL inside JavaScript.
There, the URL will not be decoded before its sent to the server. When used
in a form however, the browser will decode the URL before sending it.
2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert(a)redhat.com>:
> On 7/18/2018 2:37 AM, Felix Meißner wrote:
> > Hi all,
> >
> > I just discovered that the action url of the login-form seems to get
HTML
> > encoded and I woundered, if thats a bug or a feature.
> It's a security feature. We take advantage of FreeMarker's "escape by
> default" feature. As you discovered, you can use ?no_esc to turn this
off.
>
> I'm kind of interested in why fetch() didn't work. The escaped version
> should be valid as a URL.
>
> >
> > In
> > https://github.com/keycloak/keycloak/blob/4.1.0.Final/
> themes/src/main/resources/theme/base/login/login.ftl
> > you can see the following line:
> >
> > <form id="kc-form-login" onsubmit="login.disabled = true;
return true;"
> > action="${url.loginAction}" method="post">
> >
> > On my instance, this resolves to something similar to this:
> >
> > <form id="kc-form-login" onsubmit="login.disabled = true;
return true;"
> > action="
> > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/
> authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89
> Xabvspm7nmubc&execution=5c933fb0-b637-4462-a603-
>
bf9ffb601220&client_id=security-admin-console&tab_id=2tJInt2M5NE"
> > method="post">
> >
> > All "&" are encoded as &. This became an issue for me,
when I tried
> to
> > call the url via JavaScripts fetch method. With the same URL, I got a
> > sevrer error. When changing the URL to:
> >
> > fetch("${url.loginAction?no_esc}", ...)
> >
> > it finally worked.
> >
> > Shouldn't all form-urls and href-urls not be escacped? What makes me
> wonder
> > is, that the same URL just works for regular post requests! For
> > documentation on escaping you can find more information here:
> > https://freemarker.apache.org/docs/dgui_quickstart_template.
> html#dgui_quickstart_template_autoescaping
> >
> > Greetings,
> > Felix
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:32 a.m.
Thanks for pointing that out! I am trying to build a plugin that enables
out-of-band authentication with a FIDO UAF client on a mobile phone.
This video shows the behavior that we are trying to integrate into
keycloak: https://www.youtube.com/watch?v=aQFwvyDSOSM
I extend AbstractUsernameFormAuthenticator and make a blocking HTTP call
inside the action(AuthenticationFlowContext context)-method.
At UI side, I use Javascript to call the action method automatically when
the page opens. I can't submit the whole page as I need to provide a
working cancel button. When the call finishes, I follow the redirect
manually in javascript.
This is all work in progress and still quite hacky, comments and help are
very welcome. We plan to publish the source code when we finished our
prototype.
The escaped URLs are not an issue here, its just something I came along and
wanted to share.
Greetings, Felix
2018-07-20 12:28 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com>:
What are you actually trying to do? Are you scraping the url from
the
login form? That's not really something you should be doing.
On Thu, 19 Jul 2018 at 10:46, Felix Meißner <felix.meissner(a)hanko.io>
wrote:
> I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I cannot
> find any facts on how URLs should be encoded inside HTML, so maybe I am
> wrong.
> The problem occured, when I used a HTML-encoded URL inside JavaScript.
> There, the URL will not be decoded before its sent to the server. When
> used
> in a form however, the browser will decode the URL before sending it.
>
> 2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert(a)redhat.com>:
>
> > On 7/18/2018 2:37 AM, Felix Meißner wrote:
> > > Hi all,
> > >
> > > I just discovered that the action url of the login-form seems to get
> HTML
> > > encoded and I woundered, if thats a bug or a feature.
> > It's a security feature. We take advantage of FreeMarker's "escape
by
> > default" feature. As you discovered, you can use ?no_esc to turn this
> off.
> >
> > I'm kind of interested in why fetch() didn't work. The escaped version
> > should be valid as a URL.
> >
> > >
> > > In
> > > https://github.com/keycloak/keycloak/blob/4.1.0.Final/
> > themes/src/main/resources/theme/base/login/login.ftl
> > > you can see the following line:
> > >
> > > <form id="kc-form-login" onsubmit="login.disabled = true;
return
> true;"
> > > action="${url.loginAction}" method="post">
> > >
> > > On my instance, this resolves to something similar to this:
> > >
> > > <form id="kc-form-login" onsubmit="login.disabled = true;
return
> true;"
> > > action="
> > > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/
> > authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89
> > Xabvspm7nmubc&execution=5c933fb0-b637-4462-a603-
> > bf9ffb601220&client_id=security-admin-console&
> tab_id=2tJInt2M5NE"
> > > method="post">
> > >
> > > All "&" are encoded as &. This became an issue for
me, when I
> tried
> > to
> > > call the url via JavaScripts fetch method. With the same URL, I got a
> > > sevrer error. When changing the URL to:
> > >
> > > fetch("${url.loginAction?no_esc}", ...)
> > >
> > > it finally worked.
> > >
> > > Shouldn't all form-urls and href-urls not be escacped? What makes me
> > wonder
> > > is, that the same URL just works for regular post requests! For
> > > documentation on escaping you can find more information here:
> > > https://freemarker.apache.org/docs/dgui_quickstart_template.
> > html#dgui_quickstart_template_autoescaping
> > >
> > > Greetings,
> > > Felix
> > >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
> Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
>
> Registergericht: Amtsgericht Kiel, HRB 13257
> Geschäftsführung: Felix
> Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
2348
days inactive
2353
days old
4 comments
3 participants
participants (3)
-
Felix Meißner -
Stan Silvert -
Stian Thorgersen