Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
account/ui
Describe the bug
With the update from Keycloak 26.0.8 to 26.1.0 I noticed that account-console gave a "Missing parameter: state" error. After some investigation I noticed that this is because we are using the secure-session client policy.
The reason for this seems to be that there has been a change to account-console where it no longer uses the state/nonce parameters and since the secure-session client policy requires these to be there it fails.
I can't find any information about this in the release notes and it feels like a breaking change but I guess it can be discussed. So far I see this as a bug but if not I would love to hear if there is a reason for this. It seems the security-console still uses state/nonce as it should.
Version
26.1.0
Regression
- The issue is a regression
Expected behavior
I would expect that account-console works with secure-session client policy. This means that I would expect it to use state/nonce parameters in the OIDC flow.
Expected URL (Also how it looks in 26.0.8):
http://localhost:8080/realms/test/protocol/openid-connect/auth?client_id=account-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest%2Faccount%2F&state=9263e110-9720-4ae5-adb7-3d56a7606524&response_mode=query&response_type=code&scope=openid&nonce=cf26e8e4-d51c-4748-9b32-72e556399fd1&code_challenge=fe-QrTtqOlyhbz9So1zSHKW6BpdaGjggE0GscpR5yQ4&code_challenge_method=S256
Actual behavior
The current behavior is that account-console does not supply state/nonce parameters anymore in the OIDC flow.
Actual URL (How it looks from 26.1.0 and forward):
http://localhost:8080/realms/test/protocol/openid-connect/auth?client_id=account-console&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest%2Faccount&response_type=code&code_challenge=5i6Psu8hD-AwOMkw7wSYnZOHeH5eSDIn_G8qImqOo0o&code_challenge_method=S256
How to Reproduce?
Spin up a version of Keycloak later than 26.1.0 and enable secure-session client policy.
Realm Settings->Client Policies->Profile
Create a new Profile and add the secure-session executer.
Go back to Realm Settings->Client Policies->Policies
Create a new Policy and add client-any condition. Then add the client profile created and click save.
Logout from admin console, or use incognito mode and go to http://localhost:8080/realms/master/account/
Anything else?
No response