Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-8786

client_id lost during e-mail verification when changing browser

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 3.4.3.Final
    • Fix Version/s: 4.4.0.Final
    • Component/s: None
    • Labels:
    • Release Notes Text:
      Hide
      this is a duplicate of KEYCLOAK-7970 / KEYCLOAK-7222
      Show
      this is a duplicate of KEYCLOAK-7970 / KEYCLOAK-7222
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      (tested on RH-SSO 7.2.4)

      The following steps reproduces the bug:

      1. Register a user with a client DIFFERENT from account, for example on a URL like this:

      https://my-domain.example.com/auth/realms/my-realm/login-actions/registration?client_id=my-client&tab_id=6BRYR6O7fBM

      Notice that the URL contains client_id=my-client.

      After registration, an verification link is sent to the registered e-mail. The link is as follows:

      https://my-domain.example.com/auth/realms/my-realm/login-actions/action-token?key=[...]&client_id=my-client&tab_id=5aBvcqHSwXM

      Notice that client_id is preserved.

      Now, if the user uses the same browser and opens that link, everything is fine.

      If the user changes browser, for example because he went on a bus, uses his phone for email cheking, his email client prefers another browser etc, he is presented with another page, on which he has to click Proceed. The link behind that is:

      https://my-domain.example.com/auth/realms/my-realm/login-actions/action-token?key=[...]&client_id=account&tab_id=iGBRtwbWhQo

      Notice that the client_id is wrong, it is changed to "account" (which I guess is default).

      Then the user ends up a totally unexpected place, and (for our case) is lost.

      The error, I believe, is in org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionTokenHandler#handleToken.

      Here it seems, if the authSession is new, the client id is not copied from the URL.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rhn-support-igueye Issa Gueye
                  Reporter:
                  anderius Anders B├ątstrand
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: