[keycloak-user] Remove session code from URL to prevent security vulnerability

Eranga Samararathna erangac at gmail.com
Wed May 22 07:48:39 EDT 2019

Previous message: [keycloak-user] keycloak quick start example Uma Photoz: authorization request to resource owner not working
Next message: [keycloak-user] users created through rest api not enabled
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When authenticating from KeyCloak login page it pass session code as a
query param. Are there a way to avoid this and pass session code in
different manner (ex: as a header param)

POST
https://xxx/auth/realms/xxx/login-actions/authenticate?session_code=xxxxxxxxx&execution=xxxxxx&client_id=xxx&tab_id=xxxx
HTTP/1.1

Previous message: [keycloak-user] keycloak quick start example Uma Photoz: authorization request to resource owner not working
Next message: [keycloak-user] users created through rest api not enabled
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the keycloak-user mailing list