Description
Describe the bug
We discovered that the OIDC state parameter is required in order to parse the redirect URI properly. If no state is issued, the callback will not be parsed and instead a fresh login will be performed.
Lines 1091 to 1101 in db66549
I consider this a bug as the OIDC spec only requires the state parameter if it was present in the request, but if the request did not contain a state (I'll add details from our context under Anything else) it should accept it. Also, even if we would assume that behavior is intended, I believe that the parsing logic should not silently fail and at least a warning should be logged.
Version
26.1.4
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Anything else?
We perform user registrations using an API request. When a user verifies the E-Mail he is being redirected to a page which uses keycloak-js. As the initial authorization request is coming from an action token it will not contain a state parameter. The issue now is, that keycloak-js will attempt to start a new login but with the current window location including the callback params.
In our case we experience then issues with a firewall policy as it will lead to a double encoded iss parameter.
I'm also willing to create a PR if you confirm that behavior is a bug.