Reputation: 1
pac4j raises "State cannot be determined" after OIDC callback and Keycloak provider
I am currently trying to use testing Pac4j (v4.5.7) along with Payara 5 (Java 8) and Keycloak 16.1.1 after a previous attempt to use the OIDC Connect client available with Payara API.
I simply tried to use a single pac4j client, the OIDC connect.
Unfortunately I obtained a similar error to my previous attempt with Payara OIDC APIs, so I am starting thinking there is something that changed overtime because I think I am not the only user of these technologies...
After the login process the session is available on keycloak, but after the OIDC callback is invokated I receive this error:
org.pac4j.core.exception.TechnicalException: State cannot be determined
Using the OIDC connect Client include in Payara I obtained a similar error:
Expected state not found
This is how the callback url appears:
http://192.168.1.11:8080/svc/login/oidc_callback?client_name=KeycloakOidcClient&state=ee6cb6f634&session_state=3b74a47d-da7a-451c-8c5e-9ae857b37017&code=6202b059-1b62-44c6-ab38-9b63d13ed0b9.3b74a47d-da7a-451c-8c5e-9ae857b37017.4f4dd20b-fd60-4228-b5d2-e6287ce200f4
I initially thought the SameSite cookie settings was a possible issue but I noted that this version of Keycloak is already using "none" as value.
My keycloak runs on HTTPS while Payara is in test running on HTTP.
These are my pac4j libs:
pac4j core 4.5.7
pac4j oidc 4.5.7
jee-pac4j 5.0.0
Is there any issue that prevent the use of the pac4j v.4 with todays browsers ? I would need to stay with Java 8... that's why I am locked on these versions...
I would expect to have a valid session available on the request.
Thank you in advance for any suggestion,
Best Roberto
Upvotes: 0
Views: 1072
Answers (1)
Reputation: 2699
The state is generated before the redirection to Keycloak and saved into the web session. After the login process, the returned state is compared to the one retrieved from the web session.
So you must have a problem with your web session: a new one is created or something like this. Track your JSESSIONID cookie to see if its value changes before and after logging in at Keycloak?
In the old v4 of pac4j, the Same-state policy was not handled so this is also a lead for your problem.
Upvotes: 0
Related Questions
- PAC4J OIDC: "State cannot be determined" after AzureAd authentication
- how to configure correct state transfer in pac4j
- How to change the name of the OIDC Client in pac4j
- pac4j raises "State cannot be determined" when trying to get keycloakOidcProfile after OIDC callback and Keycloak provider
- OIDC Callback URL 404 - pac4j
- 401 Client Error: Unauthorized for url [mozilla-django-oidc - Keycloack]
- Spring Boot Security and Keycloak - receive 403 forbidden /sso/login after successfull login when using HTTPS
- Keycloak redirect_uri from docker container with Spring Security (Jhispter)