[keycloak-dev] Rest password can cause cookie not found
Stian Thorgersen
stian at redhat.com
Mon Jan 26 08:45:17 EST 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, January 26, 2015 2:27:30 PM
> Subject: Re: [keycloak-dev] Rest password can cause cookie not found
>
> Wouldn't this work?
>
> 1) store "state" of state cookie in user session.
> 2) embed user session and state of state cookie in URL
>
> Of course this screws up your "shorter URL" crusade.
I'm not following - the problem isn't remembering the state variable in Keycloak, that's already sorted as we already store all the query params passed by the client in the client session (state, redirect_uri, etc). The problem is storing it on the adapter side.
>
> On 1/26/2015 8:07 AM, Stian Thorgersen wrote:
> > Someone reported https://issues.jboss.org/browse/KEYCLOAK-1014. In summary
> > if you click on reset password, close the browser, then click the link in
> > the email to recover password the state cookie won't be set.
> >
> > Some suggestions on how to solve this:
> >
> > * Store state variable in non-session cookie (with some sensible expiration
> > 24h?)
> > * Generate/verify state using HMAC on the server-side instead of using uuid
> > * Improve error message on client side if state is not correct, basically
> > asking user to re-login - can this be easily implemented in the app itself
> > with the adapter today?
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list