8000 Fix account console for usage with secure-session client-policy (#37447) by mposolda · Pull Request #39539 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Fix account console for usage with secure-session client-policy (#37447) #39539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 15, 2025
Merged

Fix account console for usage with secure-session client-policy (#37447) #39539

merged 2 commits into from
May 15, 2025

Conversation

mposolda
Copy link
Contributor
@mposolda mposolda commented May 7, 2025
edited
Loading

Fixes #37447

(cherry picked from commit a465416)

This is an extension of the PR #38476 , which fixes TermsAndConditionsTest (as after the error after user rejects terms-and-conditions, there is another request sent automatically and hence login page is displayed) .

Also added the automated test in ClientPoliciesExecutorTest for the scenario from the report.

@mposolda mposolda self-assigned this May 7, 2025
@mposolda mposolda requested review from a team as code owners May 7, 2025 16:01
@mposolda mposolda mentioned this pull request May 7, 2025
Closed
@pedroigor pedroigor force-pushed the 37447-account-console branch from 8620bd0 to 78545a0 Compare May 7, 2025 18:17
thomasdarimont
thomasdarimont approved these changes May 7, 2025
View reviewed changes
Copy link
Contributor
@thomasdarimont thomasdarimont left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, see remark regarding the terms and conditions test.

@mposolda
Copy link
Contributor Author
mposolda commented May 13, 2025
edited
Loading

@pedroigor @thomasdarimont It is the behaviour of keycloak.js integration of account console that when it sees the login URL with the unknown state parameter, it redirects directly to the login screen. When there is some other parameters (like error) together with state, the keycloak.js will try to lookup callback data by existing state (See method parseCallback in keycloak.js). When it does not find the data, it redirects to the login screen.

BTW. This happens during every successful login to the account console as well and it was the case before my changes as well. So during every login to account console (with or without state parameter), the account console will call another redirect to login (this 2nd redirect is done now by keycloak.js and hence it works as during 2nd redirect back, keycloak.js is able to find the callback when calling parseCallback)

In other words, with this PR, when user press "decline", Keycloak will redirect to the URL like this which contains state and this will automatically do the redirect to the login screen without displaying the error : https://localhost:8543/auth/realms/test/account?error=access_denied&error_description=termsAndConditionsDeclined&iss=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Ftest&state=something

When you omit the state parameter (which is the case before this PR). The URL looks like this and keycloak.js will not try to redirect to login and just display the error: https://localhost:8543/auth/realms/test/account?error=access_denied&error_description=termsAndConditionsDeclined&iss=https%3A%2F%2Flocalhost%3A8543%2Fauth%2Frealms%2Ftest

To me, the options are:

  1. Keep as it is in the current PR

  2. Handle this as old behaviour and make sure that no changes in TermsAndConditionsTest are needed. This would be possible by doing some hacks somewhere here https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/account/AccountConsole.java#L276-L280 and make sure that when state is present, then ignore it and forward to account console UI without that state, which will make sure that keycloak.js will not try to lookup callback by unknown "state". This will make sure that error is displayed to the user.

TBH my preference is (1) as regarding usability, it is OK to redirect user directly to the login screen. When user rejected callback, he is aware that he is not able to login. So looks like the error page would be just another "splash screen" displayed to the user? But if you prefer to do (2), please let me know and I can update the PR to not need to do any changes in TermsAndConditionsTest .

Not sure if we can do something else? To me, it seems that this whole combination of redirecting to the login screen from Java (AccountConsole.redirectToLogin) and from keycloak.js is a hack. But that will require more changes if we want to get rid of this. For fixing this regression issue, I would prefer to do something simple (which can be backported to older branches without risk of other regressions) and then doing further bigger refactoring (if needed).

@mposolda
Copy link
Contributor Author

@thomasdarimont When you want to test with latest chromedriver, you can download it manually https://googlechromelabs.github.io/chrome-for-testing/ and unpack somewhere in your laptop. Then you can run the test with something like:

-Dbrowser=chrome -Dwebdriver.chrome.driver=/home/mposolda/software/chromedriver-linux64-136/chromedriver

At least, that is what I am usually doing.

< 8000 svg aria-label="Loading..." style="box-sizing: content-box; color: var(--color-icon-primary);" width="32" height="32" viewBox="0 0 16 16" fill="none" role="img" data-view-component="true" class="anim-rotate">

jonkoops
jonkoops previously approved these changes May 13, 2025
View reviewed changes
@pedroigor
Copy link
Contributor

TBH my preference is (1) as regarding usability, it is OK to redirect user directly to the login screen. When user rejected callback, he is aware that he is not able to login. So looks like the error page would be just another "splash screen" displayed to the user? But if you prefer to do (2), please let me know and I can update the PR to not need to do any changes in TermsAndConditionsTest .

From a UX perspective, the user should be informed about any error returned by Keycloak to the application. In this case, inform that the term was declined.

I vote to keep the previous behavior.

Not sure if we can do something else? To me, it seems that this whole combination of redirecting to the login screen from Java (AccountConsole.redirectToLogin) and from keycloak.js is a hack. But that will require more changes if we want to get rid of this. For fixing this regression issue, I would prefer to do something simple (which can be backported to older branches without risk of other regressions) and then doing further bigger refactoring (if needed).

Yer ... And we discussed a lot this approach when we introduced it. The decision was basically a tradeoff between making deep changes to the Account App - as discussed with @jonkoops at that time - and a simpler/hacky change to handle things from the backend. I'm also not happy with the current behavior but the old behavior where you have the Account App being loaded when the user is not even authenticated is worse, I think ....

@thomasdarimont @mposolda
Fix account console for usage with secure-session client-policy (keyc…
4e451bf 
…loak#37447)

Fixes keycloak#37447

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
(cherry picked from commit a465416)

Co-authored-by: mposolda <mposolda@gmail.com>
@mposolda mposolda force-pushed the 37447-account-console branch 2 times, most recently from 430670d to 0c7a84c Compare May 14, 2025 17:56
@mposolda
Make the account console to work without a change in behaviour in Ter…
c49b13f 
…msAndConditionsTest

Signed-off-by: mposolda <mposolda@gmail.com>
@mposolda mposolda force-pushed the 37447-account-console branch from 0c7a84c to c49b13f Compare May 14, 2025 17:57
@mposolda
Copy link
Contributor Author

TBH my preference is (1) as regarding usability, it is OK to redirect user directly to the login screen. When user rejected callback, he is aware that he is not able to login. So looks like the error page would be just another "splash screen" displayed to the user? But if you prefer to do (2), please let me know and I can update the PR to not need to do any changes in TermsAndConditionsTest .

From a UX perspective, the user should be informed about any error returned by Keycloak to the application. In this case, inform that the term was declined.

I vote to keep the previous behavior.

@pedroigor Yeah, I see the point. For the UX, still not 100% sure as when user declined terms-and-conditions, it should be clear to him that login not possible and hence redirect to login screen might be OK. On the other hand, there could be some other errors (not caused by user himself), which may be clearer to display to the user...

So I've updated the PR, so no change needed in TermsAndConditionsTest . Can you re-review please?

@pedroigor pedroigor merged commit 2464c8d into keycloak:main May 15, 2025
76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thomasdarimont thomasdarimont thomasdarimont approved these changes

@pedroigor pedroigor pedroigor approved these changes

@jonkoops jonkoops jonkoops left review comments

Assignees

@mposolda mposolda

Labels
team/cloud-native team/core-clients team/core-iam
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

account-console no longer provides nonce/state parameter
4 participants
@mposolda @pedroigor @thomasdarimont @jonkoops
0