[keycloak-dev] POST to /realms/{realm}/account/password results in server 500

Daniel Baxter daniel.baxter at cira.ca
Wed Mar 4 13:31:06 EST 2015 

Thanks for the reply Bill. Raised as https://issues.jboss.org/browse/KEYCLOAK-1081 

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Wednesday, March 04, 2015 12:00 PM
To: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] POST to /realms/{realm}/account/password results in server 500

The stateChecker exists to protect against CSRF browser attacks.  I think we can ignore this check if the request is bearer authenticated. 
Submit a JIRA please?

On 3/4/2015 11:47 AM, Daniel Baxter wrote:
> Hi,
>
> I am trying to implement a remote user password change  for the logged 
> in user. This is a requirement for the protocol we are required to 
> support which accepts xml formatted commands over a network port, one 
> of which is a password change request. The user is logged in via a 
> Direct Grant from the Remoting application and we have a full 
> KeycloakPrincipal attached to each remote session. When I POST to the 
> form at /realms/{realm}/account/password using a Bearer Auth the 
> password does reset but I get a 500 status back from Keycloak. The 
> issue is that it is trying to rebuild an html response from the 
> 'password.ftl' template and it does not have a value for 'stateChecker'.
>
> After reviewing the code on github I found that if you use Bearer 
> Auth,
> AccountService.init() never initializes a value to stateChecker. So 
> even though I passed one in as a cookie on the POST and inside the 
> form itself it never gets read. The workaround is to use cookies only 
> to handle the authentication mechanism; specifically 
> KEYCLOAK_STATE_CHECKER and KEYCLOAK_IDENTITY and not include Bearer 
> authentication at all. So there is a workaround and it requires the 
> use of cookies only and not Bearer Auth. I know this is not really the 
> intended use of the POST to this form (eg: using it like a REST 
> endpoint), but if anyone else runs into this issue at least they can 
> learn from what I found by searching the mailing list archives.
>
> So this leaves me with a couple of questions
>
> Why does using Bearer Auth not initialize some sort of value for 
> stateChecker here (ie: Is this a bug)? When you use cookies it appears 
> to even generate a value for stateChecker if none is found in the cookie.
>
> What is the purpose of embedding it as a hidden input on the password 
> change form? It appears to never get read when the form is processed 
> anyways.
>
> Thanks,
>
> Daniel
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list