diff --git a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java index b51c993cdc..b211aef7f3 100755 --- a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java +++ b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java @@ -52,7 +52,7 @@ public class AccessTokenResponse { @JsonProperty("not-before-policy") protected int notBeforePolicy; - @JsonProperty("session-state") + @JsonProperty("session_state") protected String sessionState; protected Map otherClaims = new HashMap(); diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml index 46fa368713..afce17a83b 100755 --- a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml +++ b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml @@ -121,6 +121,13 @@ The Client Registration service endpoints have been moved from {realm}/clients to {realm}/clients-registrations. + + Session state parameter in authentication response renamed + + In the OpenID Connect authentication response we used to return the session state as session-state this is not + correct according to the specification and has been renamed to session_state. + + Deprecated OpenID Connect endpoints diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml b/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml index cfc774bbc9..31ba14e54e 100755 --- a/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml +++ b/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml @@ -73,7 +73,7 @@ Pragma: no-cache "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", - "session-state":"234234-234234-234234" + "session_state":"234234-234234-234234" }]]> diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml b/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml index 654341b23c..9e3e4ef92c 100644 --- a/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml +++ b/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml @@ -61,7 +61,7 @@ Pragma: no-cache "refresh_expires_in":600, "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", "not-before-policy":0, - "session-state":"234234-234234-234234" + "session_state":"234234-234234-234234" }]]> diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index 1b56033101..8bef72ed34 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -163,7 +163,7 @@ public class OIDCLoginProtocol implements LoginProtocol { if (responseType.hasResponseType(OIDCResponseType.TOKEN)) { redirectUri.addParam("access_token", res.getToken()); redirectUri.addParam("token_type", res.getTokenType()); - redirectUri.addParam("session-state", res.getSessionState()); + redirectUri.addParam("session_state", res.getSessionState()); redirectUri.addParam("expires_in", String.valueOf(res.getExpiresIn())); }