[keycloak-dev] html encoded url in form actions - bug or feature?

Felix Meißner felix.meissner at hanko.io
Mon Jul 23 06:32:10 EDT 2018


Thanks for pointing that out! I am trying to build a plugin that enables
out-of-band authentication with a FIDO UAF client on a mobile phone.
This video shows the behavior that we are trying to integrate into
keycloak: https://www.youtube.com/watch?v=aQFwvyDSOSM

I extend AbstractUsernameFormAuthenticator and make a blocking HTTP call
inside the action(AuthenticationFlowContext context)-method.
At UI side, I use Javascript to call the action method automatically when
the page opens. I can't submit the whole page as I need to provide a
working cancel button. When the call finishes, I follow the redirect
manually in javascript.

This is all work in progress and still quite hacky, comments and help are
very welcome. We plan to publish the source code when we finished our
prototype.

The escaped URLs are not an issue here, its just something I came along and
wanted to share.

Greetings, Felix


2018-07-20 12:28 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> What are you actually trying to do? Are you scraping the url from the
> login form? That's not really something you should be doing.
>
> On Thu, 19 Jul 2018 at 10:46, Felix Meißner <felix.meissner at hanko.io>
> wrote:
>
>> I expected URLs to be URL encoded, not HTML encoded. Nonetheless, I cannot
>> find any facts on how URLs should be encoded inside HTML, so maybe I am
>> wrong.
>> The problem occured, when I used a HTML-encoded URL inside JavaScript.
>> There, the URL will not be decoded before its sent to the server. When
>> used
>> in a form however, the browser will decode the URL before sending it.
>>
>> 2018-07-19 1:38 GMT+02:00 Stan Silvert <ssilvert at redhat.com>:
>>
>> > On 7/18/2018 2:37 AM, Felix Meißner wrote:
>> > > Hi all,
>> > >
>> > > I just discovered that the action url of the login-form seems to get
>> HTML
>> > > encoded and I woundered, if thats a bug or a feature.
>> > It's a security feature.  We take advantage of FreeMarker's "escape by
>> > default" feature.  As you discovered, you can use ?no_esc to turn this
>> off.
>> >
>> > I'm kind of interested in why fetch() didn't work.  The escaped version
>> > should be valid as a URL.
>> >
>> > >
>> > > In
>> > > https://github.com/keycloak/keycloak/blob/4.1.0.Final/
>> > themes/src/main/resources/theme/base/login/login.ftl
>> > > you can see the following line:
>> > >
>> > > <form id="kc-form-login" onsubmit="login.disabled = true; return
>> true;"
>> > > action="${url.loginAction}" method="post">
>> > >
>> > > On my instance, this resolves to something similar to this:
>> > >
>> > > <form id="kc-form-login" onsubmit="login.disabled = true; return
>> true;"
>> > > action="
>> > > https://xx.xx.xx.xx:8443/auth/realms/master/login-actions/
>> > authenticate?session_code=tyvLn2J3QkM4YJhPzjYKnNLSG4ej89
>> > Xabvspm7nmubc&amp;execution=5c933fb0-b637-4462-a603-
>> > bf9ffb601220&amp;client_id=security-admin-console&amp;
>> tab_id=2tJInt2M5NE"
>> > > method="post">
>> > >
>> > > All "&" are encoded as &amp;. This became an issue for me, when I
>> tried
>> > to
>> > > call the url via JavaScripts fetch method. With the same URL, I got a
>> > > sevrer error. When changing the URL to:
>> > >
>> > > fetch("${url.loginAction?no_esc}", ...)
>> > >
>> > > it finally worked.
>> > >
>> > > Shouldn't all form-urls and href-urls not be escacped? What makes me
>> > wonder
>> > > is, that the same URL just works for regular post requests! For
>> > > documentation on escaping you can find more information here:
>> > > https://freemarker.apache.org/docs/dgui_quickstart_template.
>> > html#dgui_quickstart_template_autoescaping
>> > >
>> > > Greetings,
>> > > Felix
>> > >
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> --
>> Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland
>>
>> Registergericht: Amtsgericht Kiel, HRB 13257
>> Geschäftsführung: Felix
>> Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-- 
Ein Produkt der Cap3 GmbH, Ringstr. 19, 24114 Kiel, Deutschland

Registergericht: Amtsgericht Kiel, HRB 13257
Geschäftsführung: Felix 
Magedanz, Nicolas Günther, Bettual Richter, Sören Fenner


More information about the keycloak-dev mailing list