8:14 p.m.
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener"
socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default"
socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header"
header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim
IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET
/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
9:37 p.m.
New subject: Fwd: update password failed - invalid code
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener"
socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default"
socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/
welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header"
header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions
/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lv
bqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim
IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
10:39 a.m.
Hi, i encountered the same problem and my analysis is that it *depends on the
mail client* you are using!!
Because, when you use for example *Outlook Webmail* it tries to render the
user action URL in the email and sends a request to open the URL. When this
happens the key is used and invalidated for further requests. As a
consequence, when the user clicks on the URL, the link is not valid and
cannot be used anymore.
This does not happen with the classic Outlook Desktop Application.
From my point of view, this makes this execute-action-email feature
unusable.
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-update-password-fa...
Sent from the keycloak-user mailing list archive at Nabble.com.
12:20 p.m.
Hi,
Dnia piątek, 5 maja 2017 08:39:19 CEST rl.subscriber(a)gmail.com pisze:
Hi, i encountered the same problem and my analysis is that it
*depends on
the mail client* you are using!!
Because, when you use for example *Outlook Webmail* it tries to render the
user action URL in the email and sends a request to open the URL. When this
happens the key is used and invalidated for further requests. As a
consequence, when the user clicks on the URL, the link is not valid and
cannot be used anymore.
Oh wow. I was debugging this for a month -- a single user out of thousands
could not reset their password. Turns out they've been using Outlook Webmail.
This does not happen with the classic Outlook Desktop Application.
From my point of view, this makes this execute-action-email feature
unusable.
From my point of view this is a serious bug in Outlook Webmail. This
is a
completely unexpected behavior, and one Keycloak cannot do much about.
It's
also something Outlook Webmail developers can fix easily.
--
Pozdravi,
rashiq
1:26 a.m.
Well, I would not say that this is a bug in Outlook Webmail, there are other
applications having similar functionality.
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-update-password-fa...
Sent from the keycloak-user mailing list archive at Nabble.com.
3:23 a.m.
Dnia niedziela, 7 maja 2017 23:26:39 CEST rl.subscriber(a)gmail.com pisze:
Well, I would not say that this is a bug in Outlook Webmail, there
are other
applications having similar functionality.
A list would be very helpful in debugging potential password reset issues in
the future.
--
Pozdravi,
rashiq
2808
days inactive
2894
days old
5 comments
3 participants
participants (3)
-
Michael Mok -
Rashiq -
rl.subscriber@gmail.com