[keycloak-dev] Possible bug in Keycloak 3.4.3?
John D. Ament
john.d.ament at gmail.com
Thu Jan 18 10:30:27 EST 2018
Ping. Should I create a defect? I actually suspect it's related to a
comment I added to KEYCLOAK-6286, but not sure. For some reason, we're
resulting in a redirect URI that includes session_state but it shouldn't.
This results in duplicate session_state query params being added.
John
On Tue, Jan 16, 2018 at 3:51 PM John D. Ament <john.d.ament at gmail.com>
wrote:
> Hi,
>
> We're working on upgrading to Keycloak 3.4.3. We hit a weird issue where
> it looks like some backwards compatible code isn't working right in the
> client adapter. We found this block which seems suspect
>
>
> https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L306-L314
>
> It looks like the values for redirectUri and redirectUriParam are actually
> backwards. We see the session_state query param in the value of
> redirectUri not redirectUriParam, and this causes the next check for the
> values being equal to fail.
>
> John
>
More information about the keycloak-dev
mailing list