[keycloak-user] State mismatch on oidc-client login

Georgi Matev georgi.matev at dominodatalab.com
Wed Apr 10 09:02:25 EDT 2019 

Using 4.8.3.Final. The warning you describe is what we ideally want.

Based on what I can see (this reference for example
https://issues.jboss.org/browse/KEYCLOAK-3374), this should not be unique
to 5.0.0.

I was able to get the behavior to trigger if I use something pretty short
for "Login timeout" na "Login action timeout". This is progress!

That said, even if these login timeout periods are long, I would still
get "State
parameter is different from the one sent in authentication request. Session
expired or possible threat of cross-site request forgery" after a shorter
period. It does seem it could be related to the version of pac4j we are
using on the application side. If this ends up being a pac4j quirk, is
there a way for us to force Keycloak to think it is in "Login timeout"
state when redirected to the login when the above occurs?

On Wed, Apr 10, 2019 at 2:33 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Which version of Keycloak are you using ?
>
> When I wait too long on kc 5.0.0, it brings me back to the login page with
> the warning "You took too long to login. Login process starting from
> beginning." Isn't that what you want ?
>
> On Wed, Apr 10, 2019 at 10:40 AM Georgi Matev <
> georgi.matev at dominodatalab.com> wrote:
>
>> We have a realm with an openid-connect client configured to provide
>> authentication for an application using Keycloak. The application is using
>> the Keycloak hosted login page to handle auth redirects. We have this
>> working well except that when one stays on the login page a little longer,
>> the authentication attempt fails with a state mismatch error.
>>
>> We understand the protection this provides. To handle it gracefully, we
>> redirect the user back to login when the mismatch is detected. This
>> creates
>> a weird user experience, where the user just entered their credentials and
>> seemingly nothing happened the first time but succeeds the second time.
>>
>> Have not been able to figure out how to do the following
>>
>> (1) Pass some parameter indicating that the mismatched state happened so
>> that when we get back to the login redirect the second time, we can use
>> the
>> parameter to trigger an appropriate message on the login page (through
>> customizing the theme) to indicate that the user took too long to login.
>> We
>> have tried adding URL parameters when redirecting back to login but this
>> has not worked since these get stripped.
>>
>> (2) What setting in Keycloak determines how long the state parameter from
>> the login redirect is valid. Played with long values for "Client login
>> timeout", "Login timeout", "Login action timeout" under Tokens in the
>> Realm
>> but none of these seems to help.
>>
>> Any advice would be much appreciated.
>>
>> Thanks,
>> -Georgi
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list