Hi,
I am trying to implement a remote user password change for the logged in user. This is a
requirement for the protocol we are required to support which accepts xml formatted
commands over a network port, one of which is a password change request. The user is
logged in via a Direct Grant from the Remoting application and we have a full
KeycloakPrincipal attached to each remote session. When I POST to the form at
/realms/{realm}/account/password using a Bearer Auth the password does reset but I get a
500 status back from Keycloak. The issue is that it is trying to rebuild an html response
from the 'password.ftl' template and it does not have a value for
'stateChecker'.
After reviewing the code on github I found that if you use Bearer Auth,
AccountService.init() never initializes a value to stateChecker. So even though I passed
one in as a cookie on the POST and inside the form itself it never gets read. The
workaround is to use cookies only to handle the authentication mechanism; specifically
KEYCLOAK_STATE_CHECKER and KEYCLOAK_IDENTITY and not include Bearer authentication at all.
So there is a workaround and it requires the use of cookies only and not Bearer Auth. I
know this is not really the intended use of the POST to this form (eg: using it like a
REST endpoint), but if anyone else runs into this issue at least they can learn from what
I found by searching the mailing list archives.
So this leaves me with a couple of questions
Why does using Bearer Auth not initialize some sort of value for stateChecker here (ie: Is
this a bug)? When you use cookies it appears to even generate a value for stateChecker if
none is found in the cookie.
What is the purpose of embedding it as a hidden input on the password change form? It
appears to never get read when the form is processed anyways.
Thanks,
Daniel
Show replies by date