Reputation: 35
KeyCloak Integration with Azure ADB2C - Missing State Parameter
I’ve integrated “KeyCloak” (identity broker) with Azure ADB2C for authenticating a user.
Firstly, the user ADB2C Login user flow endpoint integrated with Keycloak and tested it, which is absolutely fine. Also, we have integrated B2C “Forgot Password” userflow endpoint with Keycloak, Upon successful Forgot Password completion in B2C, while redirecting the response back to the keycloak we are seeing an error response from the Keycloak screen as - “Missing State Parameter in Response From Identity Provider”
In the request url has Scope, Client_id, State, Response_type, Redirect_URI, nonce. But in the B2C response url contains “Client_ID”, response_type, scope and redirect_Uri.
So far, unable to find a way to handle this issue. Please suggest, if there is any approach to handle this issue either from the ADB2C or Key-Cloak.
ADB2C- Implemented with OAuth standard authentication protocol
Keycloak error page code:
Missing State Parameter In Response from Identity Provider
Upvotes: 0
Views: 3534
Answers (1)
Reputation: 5165
• The ‘state’ parameter is used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery attacks. In your case, the keycloak identity broker service is the authorization service while Azure AD B2C is the client.
• And since, the state parameter is missing in the response URL from Azure AD B2C, it might be the case that redirect URIs for the keycloak identity broker or the application may not be correctly configured in Azure AD B2C due to which keycloak throws an error of state parameter missing.
• Keycloak might have considered this response as a CSRF attack due to the missing state parameter and thus displayed an error whereas in Azure AD B2C, the redirection URI relating to specific keycloak page might not be correctly configured due to which though the response reached keycloak default URI but not the intended application integrated URI due to which the state parameter might be missing.
Please refer the below documentation links regarding CSRF and state parameter configuration as well as redirection URI in Azure AD B2C: -
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url
Upvotes: 0
Related Questions
- AzureB2C Custom Policy: Invalid request the provided id_token_hint parameter does not contain an accepted issuer
- keycloak integration with Azure AD for webapp authentication
- Azure AD b2c custom policy sigin/signup error : - AADB2C: Encryption key must be a 256-bit key error
- Configure Azure Custom Policy For KeyCloak
- SSO with Keycloak and Azure Active Directory
- Using Policy Keys in Azure B2C custom policies
- Azure AD B2C Custom Policy sign in error: AADB2C: Encryption key must be a 256-bit key
- use msal to connect to Azure B2C - state parameter
- Azure B2C Custom Policies OpenId-Configuration Error AADB2C90022
- Azure B2C Custom Policies: Invalid Request, client secret error