Re: [keycloak-user] Help problem with Bad request

Interesting issue. What is happening is, that state cookie with value "150/..." is set and then your application redirects to keycloak login screen. However it looks that "something" else set the new value of state cookie (in you case "151/..."), so after keycloak login is finished, adapter can see the value of cookie "151/...", but it still expects the old value "150/..." . I can see 2 possibilities how it can happen: 1) your application is opening more HTTP requests for secured URL at the same time. For example you have HTML publicly available, which opens some XHR requests (or images) under secured URL. When the securedPage1 ( image1 ) is open, it redirects to keycloak, however browser already also sent request to securedPage2 ( image2 ), which rewrite the cookie set by securedPage1. 2) The new cookie value is set after successful keycloak login and redirect to your application. I suspect it's likely case 1. You can confirm it by doing this: - Open secured URL - Be redirected to keycloak login screen - At this point, you will check if value of "state" parameter in the browser line is same as the value of "OAUTH_TOKEN_REQUEST_STATE" cookie in your application (you will need to check browser cookies). If it's different then the issue is case 1. If it's same than it's rather case 2. Marek On 28/06/16 10:39, Gyalai Milán wrote: