KEYCLOAK-3331 Reset password leads to 400 bad request when link is opened in a different browser session
This commit is contained in:
parent
69dddfa73a
commit
ab72b2b141
3 changed files with 51 additions and 0 deletions
|
@ -41,6 +41,7 @@ import org.keycloak.models.utils.HmacOTP;
|
|||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
import org.keycloak.services.ServicesLogger;
|
||||
import org.keycloak.services.messages.Messages;
|
||||
import org.keycloak.services.resources.LoginActionsService;
|
||||
|
||||
import javax.ws.rs.core.Response;
|
||||
import javax.ws.rs.core.UriBuilder;
|
||||
|
@ -60,6 +61,8 @@ public class ResetCredentialEmail implements Authenticator, AuthenticatorFactory
|
|||
|
||||
@Override
|
||||
public void authenticate(AuthenticationFlowContext context) {
|
||||
LoginActionsService.createActionCookie(context.getRealm(), context.getUriInfo(), context.getConnection(), context.getClientSession().getId());
|
||||
|
||||
UserModel user = context.getUser();
|
||||
String username = context.getClientSession().getNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME);
|
||||
|
||||
|
|
|
@ -20,6 +20,8 @@ package org.keycloak.authentication.authenticators.resetcred;
|
|||
import org.keycloak.authentication.AuthenticationFlowContext;
|
||||
import org.keycloak.models.UserCredentialModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.services.managers.AuthenticationManager;
|
||||
import org.keycloak.services.resources.LoginActionsService;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||
|
@ -31,6 +33,11 @@ public class ResetPassword extends AbstractSetRequiredActionAuthenticator {
|
|||
|
||||
@Override
|
||||
public void authenticate(AuthenticationFlowContext context) {
|
||||
String actionCookie = LoginActionsService.getActionCookie(context.getSession().getContext().getRequestHeaders(), context.getRealm(), context.getUriInfo(), context.getConnection());
|
||||
if (actionCookie == null || !actionCookie.equals(context.getClientSession().getId())) {
|
||||
context.getClientSession().setNote(AuthenticationManager.END_AFTER_REQUIRED_ACTIONS, "true");
|
||||
}
|
||||
|
||||
if (context.getExecution().isRequired() ||
|
||||
(context.getExecution().isOptional() &&
|
||||
configuredFor(context))) {
|
||||
|
|
|
@ -606,6 +606,47 @@ public class ResetPasswordTest extends TestRealmKeycloakTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resetPasswordLinkOpenedInNewBrowser() throws IOException, MessagingException {
|
||||
String username = "login-test";
|
||||
String resetUri = oauth.AUTH_SERVER_ROOT + "/realms/test/login-actions/reset-credentials";
|
||||
driver.navigate().to(resetUri);
|
||||
|
||||
resetPasswordPage.assertCurrent();
|
||||
|
||||
resetPasswordPage.changePassword(username);
|
||||
|
||||
loginPage.assertCurrent();
|
||||
assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
|
||||
|
||||
events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
|
||||
.user(userId)
|
||||
.detail(Details.REDIRECT_URI, oauth.AUTH_SERVER_ROOT + "/realms/test/account/")
|
||||
.client("account")
|
||||
.detail(Details.USERNAME, username)
|
||||
.detail(Details.EMAIL, "login@test.com")
|
||||
.session((String)null)
|
||||
.assertEvent();
|
||||
|
||||
assertEquals(1, greenMail.getReceivedMessages().length);
|
||||
|
||||
MimeMessage message = greenMail.getReceivedMessages()[0];
|
||||
|
||||
String changePasswordUrl = getPasswordResetEmailLink(message);
|
||||
|
||||
driver.manage().deleteAllCookies();
|
||||
driver.navigate().to(changePasswordUrl.trim());
|
||||
|
||||
System.out.println(driver.getPageSource());
|
||||
|
||||
updatePasswordPage.assertCurrent();
|
||||
|
||||
updatePasswordPage.changePassword("resetPassword", "resetPassword");
|
||||
|
||||
assertTrue(infoPage.isCurrent());
|
||||
assertEquals("Your account has been updated.", infoPage.getInfo());
|
||||
}
|
||||
|
||||
public static String getPasswordResetEmailLink(MimeMessage message) throws IOException, MessagingException {
|
||||
Multipart multipart = (Multipart) message.getContent();
|
||||
|
||||
|
|
Loading…
Reference in a new issue