-
Bug
-
Resolution: Done
-
Major
-
RH-SSO-7.0.0.GA
-
None
The adapter throws a 400 bad request after a reset password link has been opened in a new browser session due to the session cookie is missing. This issue is down to the fact that the reset password flow redirects to the application with the authorization code even though it should detect that there's a new browser session and instead display a message "Your password has been updated" and have a link "back to application" like verify email does.
This is similar to https://issues.jboss.org/browse/KEYCLOAK-3331 , but the PR provided there does not resolve the issue.
In RH-SSO 7.0.0, the error status is generated at the line #221 in org.keycloak.adapters.OAuthRequestAuthenticator. But the upstream Keycloak (3.0.0.CRx) does not use it when resetting password.
[hokuda@dhcp-193-78 01795818_rhsso_reset_password_400]$ /home/hokuda/src/github.com/hokuda/rljdb/rljdb -attach localhost:18787 [6/541] Set uncaught java.lang.Throwable Set deferred uncaught java.lang.Throwable Initializing jdb ... Found ./rljdb.breakpoint > Breakpoint hit: "thread=http-127.0.0.1:8180-1", org.keycloak.adapters.OAuthRequestAuthenticator.checkStateCookie(), line=221 bci=24 221 return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); http-127.0.0.1:8180-1[1] list 217 OIDCHttpFacade.Cookie stateCookie = getCookie(deployment.getStateCookieName()); 218 219 if (stateCookie == null) { 220 log.warn("No state cookie"); 221 => return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); 222 } 223 // reset the cookie 224 log.debug("** reseting application state cookie"); 225 facade.getResponse().resetCookie(deployment.getStateCookieName(), stateCookie.getPath()); 226 String stateCookieValue = getCookieValue(deployment.getStateCookieName()); http-127.0.0.1:8180-1[1]