Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: 2.5.0.Final
-
Fix Version/s: 4.6.0.Final
-
Component/s: Adapter - Spring
-
Labels:
-
Git Pull Request:
-
Docs QE Status:NEW
-
QE Status:NEW
Description
Hello,
I'm working on a web application on which I have the security following security constraints constraints :
/ --> public /authent --> private /userInfo --> private
I use the Spring Keycloak adapter configured like that:
keycloak.securityConstraints[0].securityCollections[1].name = Client stuff keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = client keycloak.securityConstraints[0].securityCollections[1].patterns[0] = /authent keycloak.securityConstraints[0].securityCollections[0].name = Client stuff keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = client keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /userInfo keycloak.token-store=cookie
The /authent is used to get redirected to the Keykloak server when needed and, when the authentication process is successful, it sets a KEYCLOAK_ADAPTER_STATE cookie with the access token, the id token and the refresh token concatenated, but it defines it only for /authent, so when the browser hits the /userInfo endpoint, it is done without the KEYCLOAK_ADAPTER_STATE cookie and it gets another HTTP 302, which is not fine because it implies another authentication process.
This behavior seems to be not consistent with the session token store because the JSESSIONID cookie is defined for the root path even when it is hit from /authent which avoids unnecessary authentication processes.
