[keycloak-dev] POST to /realms/{realm}/account/password results in server 500

Bill Burke bburke at redhat.com
Wed Mar 4 11:59:38 EST 2015


The stateChecker exists to protect against CSRF browser attacks.  I 
think we can ignore this check if the request is bearer authenticated. 
Submit a JIRA please?

On 3/4/2015 11:47 AM, Daniel Baxter wrote:
> Hi,
>
> I am trying to implement a remote user password change  for the logged
> in user. This is a requirement for the protocol we are required to
> support which accepts xml formatted commands over a network port, one of
> which is a password change request. The user is logged in via a Direct
> Grant from the Remoting application and we have a full KeycloakPrincipal
> attached to each remote session. When I POST to the form at
> /realms/{realm}/account/password using a Bearer Auth the password does
> reset but I get a 500 status back from Keycloak. The issue is that it is
> trying to rebuild an html response from the ‘password.ftl’ template and
> it does not have a value for ‘stateChecker’.
>
> After reviewing the code on github I found that if you use Bearer Auth,
> AccountService.init() never initializes a value to stateChecker. So even
> though I passed one in as a cookie on the POST and inside the form
> itself it never gets read. The workaround is to use cookies only to
> handle the authentication mechanism; specifically KEYCLOAK_STATE_CHECKER
> and KEYCLOAK_IDENTITY and not include Bearer authentication at all. So
> there is a workaround and it requires the use of cookies only and not
> Bearer Auth. I know this is not really the intended use of the POST to
> this form (eg: using it like a REST endpoint), but if anyone else runs
> into this issue at least they can learn from what I found by searching
> the mailing list archives.
>
> So this leaves me with a couple of questions
>
> Why does using Bearer Auth not initialize some sort of value for
> stateChecker here (ie: Is this a bug)? When you use cookies it appears
> to even generate a value for stateChecker if none is found in the cookie.
>
> What is the purpose of embedding it as a hidden input on the password
> change form? It appears to never get read when the form is processed
> anyways.
>
> Thanks,
>
> Daniel
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list