[keycloak-user] Help problem with Bad request

Marek Posolda mposolda at redhat.com
Wed Jun 29 03:32:56 EDT 2016 

Interesting issue.

What is happening is, that state cookie with value "150/..." is set and 
then your application redirects to keycloak login screen. However it 
looks that "something" else set the new value of state cookie (in you 
case "151/..."), so after keycloak login is finished, adapter can see 
the value of cookie "151/...", but it still expects the old value 
"150/..." .

I can see 2 possibilities how it can happen:
1) your application is opening more HTTP requests for secured URL at the 
same time. For example you have HTML publicly available, which opens 
some XHR requests (or images) under secured URL. When the securedPage1 ( 
image1 ) is open, it redirects to keycloak, however browser already also 
sent request to securedPage2 ( image2 ), which rewrite the cookie set by 
securedPage1.
2) The new cookie value is set after successful keycloak login and 
redirect to your application.

I suspect it's likely case 1. You can confirm it by doing this:
- Open secured URL
- Be redirected to keycloak login screen
- At this point, you will check if value of "state" parameter in the 
browser line is same as  the value of "OAUTH_TOKEN_REQUEST_STATE" cookie 
in your application (you will need to check browser cookies). If it's 
different then the issue is case 1. If it's same than it's rather case 2.

Marek

On 28/06/16 10:39, Gyalai Milán wrote:
> Hello,
>
> I have problem with the Bad request when the user login.
>
> I have a simple War with JSP-s. With the following keycloak.json
>
> {
>     "realm": "test",
>     "realm-public-key": "...",
>     "auth-server-url": "keycloak-url",
>     "ssl-required": "none",
>     "resource": "dashboard-app",
>     "public-client": true,
>     "use-resource-role-mappings": false,
>     "principal-attribute": "preferred_username"
> }
>
> The wildfly redirects to the keycloak perfectly and adds a status 
> parameter to the URL. After the login we get a 400 Bad request error. 
> In the wildfly log I found these lines.
>
> WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-111) state parameter invalid
> WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-111) cookie: 151/af93b54d-6b04-4d82-9a8b-1fe7203b279e
>  WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-111) queryParam: 150/e946fb78-9902-4449-8c33-687fcaf98d3d
>
> What did I configure wrong?
>
> The Keycloak version is 1.9.8.Final .
>
> Any ideas ?
>
> Regards
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/51c11ea3/attachment.html

More information about the keycloak-user mailing list