-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STCOR-853 do not include credential in /authn/token request #1477
Conversation
The request to `/authn/token` pulls an OTP from the query string and exchanges it for AT/RT cookies. If, somehow, the browser already has cookies and sends them along on this request, it causes a negative feedback look because the OTP and the cookies are out of sync. The old AT/RT cookies will cause the endpoint to return 4xx, which will result in a redirect back to keycloak, which will find its (still perfectly valid) authentication cookies, which will cause it redirect back to stripes with a new OTP ... and the cycle repeats. Thus, when we are exchanging an OTP, we don't want to send any cookies. We want the to send the OTP and have new cookies from the response overwrite anything that was previously stored. Refs STCOR-853
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Glad you could correct this with a small change. Thanks for adding test coverage!
The previous commit re-enabled logout by correctly passing the `x-okapi-tenant` header in the `/authn/logout` request. It turns out that if you want read the tenant from the store in a test, you have to mock the store in your test. WHO KNEW???
|
Like #1478, branches got wacky due to an accidental merge; there should only be one commit on this branch :/ Gonna try re-opening it against current tip of keycloak-ramsons. |
The request to
/authn/token
pulls an OTP from the query string and exchanges it for AT/RT cookies. If, somehow, the browser already has cookies and sends them along on this request, it causes a negative feedback look because the OTP and the cookies are out of sync. The old AT/RT cookies will cause the endpoint to return 4xx, which will result in a redirect back to keycloak, which will find its (still perfectly valid) authentication cookies, which will cause it redirect back to stripes with a new OTP ... and the cycle repeats.Thus, when we are exchanging an OTP, we don't want to send any cookies. We want the to send the OTP and have new cookies from the response overwrite anything that was previously stored.
Refs STCOR-853