Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-227

Always redirected to login form when try to manage account and "Require SSL" is enabled

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 1.0-alpha-1
    • None
    • None

    Description

      Strange behaviour for Accout management when "Require SSL" is enabled, but I am using just plain "http".

      Issue: I enabled "Require SSL" for "demo" realm. Now when I login into customer-portal and then click to "Manage accounts" page, I am redirected back to login form instead of Account page. This seems to be OK, SSO doesn't work as cookie KEYCLOAK_IDENTITY is secured. But now when I login again as bburke@redhat.com, I am redirected back to login form. Now I can login again and again, but I am always redirected back to login form.
      Reason: Cookie KEYCLOAK_ACCOUNT_IDENTITY is secured as well! This means that method AccountService.loginRedirect will successfully establish secured KEYCLOAK_ACCOUNT_IDENTITY but when I am redirected back to http://localhost:8080/auth-server/rest/realms/demo/account/ then method AccountService.accountPage() is not able to read this cookie as it's for secured requests only. So it redirects me back to login form.
      Expected behaviour: Option "Require SSL" should affect just KEYCLOAK_IDENTITY cookie, so that SSO re-authentication through cookie won't work, BUT it shouldn't affect KEYCLOAK_ACCOUNT_IDENTITY cookie IMO.

      Attachments

        Issue Links

          Activity

            People

              sthorger@redhat.com Stian Thorgersen
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: