[keycloak-dev] Re: Strange behaviour with invalid state param
Michael Gerber
gerbermichi at me.com
Fri Jan 9 09:14:41 EST 2015
Someone in our company bookmarked the login URL
https://localhost:9443/auth/realms/uka/protocol/openid-connect/login?client_id=uka-solutions&redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Findex.html&state=1%2Ff761c116-eef1-4744-b40d-792cd14c1386&login=true
And he reported this behaviour.
I dont understand why the login is permitted with an invalid state. I know the login was successful but the application did not request this login (state is wrong), so it should not allow it.
@stian
this behaviour is easy reproducible.
Open the customer-portal example app in a browser, copy the login url.
Close the browser and open it again and use the old url. (or clear your cookies ;-)
Remove all parameters from the url after you received the bad request error and you should get in.
Am 09. Januar 2015 um 14:41 schrieb Bill Burke <bburke at redhat.com>:
What I think is happening is that you have an invalid state cookie (as
per the oauth spec), you reload the app URL again and authentication is
successful. While I don't know why you are getting "No state cookie"
the rest makes sense as you're just going through a successful login.
On 1/9/2015 7:45 AM, Michael Gerber wrote:
Hi,
I have a strange behaviour with an invalid state param.
The server writes the following log, which is correct:
WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-17) No state cookie
After that I receive a 400 error in my browser with the following URL:
https://pcc811.hrms.ch:9443/index.html?code=Q-NK1wwTdqja5XU8lUkNkZnEy40ZdCx2FjC6qslukdc.9ef6b6f7-b888-4a59-b34c-7af6d490614b&state=dc-4d82-b0c9-d434b917dfce
I can load this URL again and than I am successfully logged in.
Is this the correct behaviour?
Best
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150109/321aa573/attachment.html
More information about the keycloak-dev
mailing list