Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing state parameter in response from identity provider. #15

Closed
fabio-pereira-ubc opened this issue Nov 26, 2022 · 2 comments
Closed

Comments

@fabio-pereira-ubc
Copy link

fabio-pereira-ubc commented Nov 26, 2022

We are testing the keycloak-magic-link, and everything is fine when we use that in a browser flow in an IDB realm that the application connects to validate the user, as in the image below.

image

But in our scenario, we need to provide more than one login option to our users. For that, we configure multiple identity providers in an IDB realm, and we are creating another realm for the magic link to act as an idP. The configuration is like the image below.

image

These are the steps when we try to connect our example application (SP).

  1. User clicks on the MLIDP idp button.
    image

  2. User informs the email and submits it.
    image

  3. User clicks on the email received by email.
    image

  4. User gets an error as a response
    image

To check that we have configured the idP configuration in the IDB realm and the client in the MLIDP realm, we have changed the MLIDP realm client flow to the standard browser flow, as shown in the image below. After test, we can log in successfully.

image

There is one issue opened that the state is mentioned, but we don't know whether it is related to the issue we got.
Magic link doesn't support PKCE or state/nonce values

The keycloak version used during tests was 18.0.1.

@xgp
Copy link
Member

xgp commented Nov 26, 2022

This won't work in the current implementation. Sending a request to a remote IdP requires a continuous authentication session. The magic link functionality doesn't maintain the session (even in the same browser) following the click on the email link.

Perhaps as an alternative, could you keep the magic link username form and authenticator in your forms set as ALTERNATIVE so that the user could click "Try another way" rather than doing it in another Realm as a remote IdP?

@fabio-pereira-ubc
Copy link
Author

Thanks for the answer, we are going to try that!

@xgp xgp closed this as completed Nov 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants