NOTE: This is a potential double posting since I posted on Feb 28th and thought this might be lost since we’re in March now. Apologies in advance. Hey all, I ran into an issue. Suppose I go to my keycloak instance with this url ` auth/realms/myrealm /login-actions/reset-credentials?client_id=my_client_id`. The reset email gets sent after entering my email. However, if I copy that link and open it in a separate browser session it fails to maintain the the client_id used in the original request. Instead it switches to client_id = account. I know why this happens. In LoginActionsService there is this @Path(RESET_CREDENTIALS_PATH) @GET public Response resetCredentialsGET(@QueryParam("code") String code, @QueryParam("execution") String execution, @QueryParam("client_id") String clientId) { AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm); // we allow applications to link to reset credentials without going through OAuth or SAML handshakes if (authSession == null && code == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } authSession = createAuthenticationSessionForClient(); return processResetCredentials(false, null, authSession, null); } event.event(EventType.RESET_PASSWORD); return resetCredentials(code, execution, clientId); } The getCurrentAuthenticationSession method checks a cookie to get the session, which isn’t present in a fresh browser session. Afterward, the `createAutenticationSessionForClient` doesn’t use the clientId query parameter and defaults to the account client. Is this a bug? A security issue? I couldn’t find a bug for it in Jira. Should I create a bug and fix it? It’s not easy to overwrite this but if you have any workarounds let me know. My current approach is going to be to attempt to create a realm resource that exhibits the right behavior. Jerry S Jerry Saravia Senior Software Engineer P (516) 603-6914 virginpulse.com globalchallenge.virginpulse.com 75 Fountain Street, Suite 310, Providence, RI 02902 Australia | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.