[keycloak-dev] Possible bug in Keycloak 3.4.3?

John D. Ament john.d.ament at gmail.com
Fri Jan 19 09:11:59 EST 2018

My coworker, who has a lot more context than I, ended up reporting it as a
defect - https://issues.jboss.org/browse/KEYCLOAK-6312


On Thu, Jan 18, 2018 at 10:30 AM John D. Ament <john.d.ament at gmail.com>

> Ping.  Should I create a defect?  I actually suspect it's related to a
> comment I added to KEYCLOAK-6286, but not sure.  For some reason, we're
> resulting in a redirect URI that includes session_state but it shouldn't.
> This results in duplicate session_state query params being added.
> John
> On Tue, Jan 16, 2018 at 3:51 PM John D. Ament <john.d.ament at gmail.com>
> wrote:
>> Hi,
>> We're working on upgrading to Keycloak 3.4.3.  We hit a weird issue where
>> it looks like some backwards compatible code isn't working right in the
>> client adapter.  We found this block which seems suspect
>> https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L306-L314
>> It looks like the values for redirectUri and redirectUriParam are
>> actually backwards.  We see the session_state query param in the value of
>> redirectUri not redirectUriParam, and this causes the next check for the
>> values being equal to fail.
>> John

More information about the keycloak-dev mailing list