page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt

Closes #25440

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>

services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java

@@ -53,6 +53,7 @@ import org.keycloak.services.messages.Messages;
 import org.keycloak.services.util.BrowserHistoryHelper;
 import org.keycloak.services.util.AuthenticationFlowURLHelper;
 import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.sessions.CommonClientSessionModel;
 import org.keycloak.sessions.RootAuthenticationSessionModel;
 
 
@@ -280,7 +281,7 @@ public class SessionCodeChecks {
                 }
             }
 
-            if (execution == null || execution.equals(lastExecFromSession)) {
+            if (execution == null || execution.equals(lastExecFromSession) || CommonClientSessionModel.ExecutionStatus.CHALLENGED.equals(authSession.getExecutionStatus().get(execution))) {
                 // Allow refresh of previous page
                 clientCode = new ClientSessionCode<>(session, realm, authSession);
                 actionRequest = false;

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java

@@ -376,6 +376,16 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest {
         resetPassword("login@test.com");
     }
 
+    @Test
+    public void resetPasswordBackButton() throws IOException, MessagingException {
+        loginPage.open();
+        loginPage.login("login@test.com", "wrongpassword");
+        loginPage.resetPassword();
+        resetPasswordPage.assertCurrent();
+        driver.navigate().back();
+        loginPage.assertCurrent();
+    }
+
     private String resetPassword(String username) throws IOException, MessagingException {
         return resetPassword(username, "resetPassword");
     }