fix: Identity providers should not be hidden from login page when the user goes back from the reset credentials page#48814
Open
vilmosnagy wants to merge 4 commits intokeycloak:mainfrom
Open
Conversation
36fd1a3 to
6ce3187
Compare
Signed-off-by: Vilmos Nagy <me@vnagy.eu>
Signed-off-by: Vilmos Nagy <me@vnagy.eu>
6ce3187 to
0d11bb6
Compare
…ehaviour Signed-off-by: Vilmos Nagy <me@vnagy.eu>
- Clear the RESET_CREDENTIAL_USER_CHOSEN auth note after clearing the user, so subsequent login page renders do not redundantly clear again (feedback from @mposolda in keycloak#33254) - Add ResetPasswordTest::resetPasswordEmailLinkWorksAfterNavigatingBackToLoginPage to verify that the password reset email link still works after the user navigates back to the login page, covering the scenario raised in the review discussion of keycloak#33254 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Vilmos Nagy <me@vnagy.eu>
0d11bb6 to
abaabbc
Compare
Contributor
Author
|
Is it possible that the failing test ( If it's not flaky, can you help me reproduce the failure? Apart from that I fixed all failing tests. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reopens #33254, closes #33204.
First of all, sorry for disappearing — a newborn arrived ~1.5 years ago and I never found the time to get back to this. Big thanks to @mposolda for keeping the previous PR open as long as he did.
I rebased the commits from #33254 and verified that the tests from last year still fail against the current
mainbranch, so the issue is still present and the fix is still needed. I also tried to address the review discussion from last year. Specifically:RESET_CREDENTIAL_USER_CHOSENauth note after callingcontext.clearUser(), so that subsequent renders of the login page within the same auth session don't needlessly clear the user again.ResetPasswordTest::resetPasswordEmailLinkWorksAfterNavigatingBackToLoginPageto cover the scenario @mposolda raised: the user initiates a password reset, navigates back to the login page (which now clears the user from the auth session), and then clicks the email link. The test verifies the reset flow still completes successfully — it seems that a user who navigates back and then clicks the email link can still change their password and get logged in, which appears fine from a security standpoint. This test was roughly half AI-generated and half hand-reworked, using the tests I wrote for the previous PR as reference — all other code in this PR is hand-written from last year.What the fix does
When a user submits a username on the "Forgot Password?" page, Keycloak sets that user on the authentication session. If the user then navigates back to the login page without completing the reset flow, Keycloak was showing only the identity providers linked to that specific user's account — leaking which social providers they had connected, which is a user enumeration vulnerability per the OWASP Forgot Password Cheat Sheet.
The fix detects the
RESET_CREDENTIAL_USER_CHOSENauth note inUsernamePasswordFormand clears the user from context before rendering the login page, so all configured IDPs are shown regardless of which user was identified during the reset flow.