You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When legacy redirect_uri is enabled (--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=enabled), changing locale on logout confirmation page strips redirect_uri query parameter and breaks the logout action. The relevant line could be this one.
Version
18.0.0
Expected behavior
Changing locale on logout confirmation page keeps redirect_uri query parameter and logout successfully.
Actual behavior
Changing locale on logout confirmation page strips redirect_uri parameter and fails the logout request with a 400.
How to Reproduce?
Enable legacy redirect_uri with --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=enabled.
Enable at least two locales in a realm localization settings
Login to the realm
Logout of the realm
On the logout confirmation page, change the locale to a different one
The redirect_uri query parameter is not present anymore
Confirm logout
Expect a 400 on POST $URL/auth/realms/$REALM/protocol/openid-connect/logout/logout-confirm?tab_id=$TAB_ID
See error below
Details
ERROR [org.keycloak.services.resources.IdentityBrokerService] (executor-thread-16) unexpectedErrorHandlingRequestMessage: javax.ws.rs.WebApplicationException: HTTP 400 Bad Request
at org.keycloak.services.resources.IdentityBrokerService.parseSessionCode(IdentityBrokerService.java:1060)
at org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:373)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:67)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:55)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:380)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$5.handle(VertxHttpRecorder.java:358)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1212)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:163)
at io.vertx.ext.web.impl.RoutingContextWrapper.next(RoutingContextWrapper.java:201)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$1(QuarkusRequestFilter.java:71)
at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$13.runWith(VertxCoreRecorder.java:543)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
Anything else?
I am aware that redirect_uri is being deprecated so feel free to close the issue if out of scope. I can create a PR with some help on how to fix it.
The text was updated successfully, but these errors were encountered:
@FranckKe I can confirm that changing locale on the "logout confirm page" is broken (even without backwards compatibility switch enabled). We should look into this.
Describe the bug
Keycloak 18 adds a confirmation page when logging out. For more context see this section of Keycloak 18 blog post.
When legacy redirect_uri is enabled (
--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=enabled
), changing locale on logout confirmation page stripsredirect_uri
query parameter and breaks the logout action. The relevant line could be this one.Version
18.0.0
Expected behavior
Changing locale on logout confirmation page keeps
redirect_uri
query parameter and logout successfully.Actual behavior
Changing locale on logout confirmation page strips
redirect_uri
parameter and fails the logout request with a400
.How to Reproduce?
Enable legacy redirect_uri with
--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=enabled
.Enable at least two locales in a realm localization settings
Login to the realm
Logout of the realm
On the logout confirmation page, change the locale to a different one
The
redirect_uri
query parameter is not present anymoreConfirm logout
Expect a 400 on POST
$URL/auth/realms/$REALM/protocol/openid-connect/logout/logout-confirm?tab_id=$TAB_ID
See error below
Details
Anything else?
I am aware that
redirect_uri
is being deprecated so feel free to close the issue if out of scope. I can create a PR with some help on how to fix it.The text was updated successfully, but these errors were encountered: