Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7458

Client Id is not being used from URL when Reset Password link is used in different browser session

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate Issue
    • 3.4.3.Final
    • 4.4.0.Final
    • Core
    • None
    • Hide

      1. Go to application
      2. Keycloak will redirect to Login Screen (client_id will be that of application)
      3. Click Forgot Password
      4. Enter email address and submit
      5. Go to email client and copy link
      6. Open up incognito window and paste link
      7. Notice that new address (after the redirect) has an updated client_id of account

      Show
      1. Go to application 2. Keycloak will redirect to Login Screen (client_id will be that of application) 3. Click Forgot Password 4. Enter email address and submit 5. Go to email client and copy link 6. Open up incognito window and paste link 7. Notice that new address (after the redirect) has an updated client_id of account
    • NEW
    • NEW

    Description

      When performing the password reset flow through the email token, everything works fine if the same browser session is used to request the email and to reset the password.

      What happens if a new browser session is used (e.g. incognito), is that keycloak does respect the client_id that is on the link that is attached to the email.

      Email Link:

      Request URL: https://<server_url>/auth/realms/platform/login-actions/action-token?key=<key>&execution=c35814b7-32a5-495f-a63d-94b9b2dedd88&client_id=spa-elrc-integrated&tab_id=6zEa88_LKE8
      

      Server Response:

      HTTP/1.1 302 Found
      Date: Tue, 29 May 2018 14:09:53 GMT
      Content-Length: 0
      Connection: keep-alive
      Cache-Control: no-store, must-revalidate, max-age=0
      Set-Cookie: AUTH_SESSION_ID=47cbaf38-0c0c-4d58-b0a0-7404be838bfc.2e5025f42bfc; Version=1; Path=/auth/realms/platform; Secure; HttpOnly
      Location: https://access-stage.edlogics.com/auth/realms/platform/login-actions/required-action?execution=UPDATE_PASSWORD&client_id=account&tab_id=pOvSKlcHlHw
      

      Notice that keycloak is changing the client_id from spa-elrc-integrated (request) to account (response).

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              csavory Christopher Savory (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: