Identity provider should not be hidden from login page when the a user goes back from the reset credentials page#33254
Identity provider should not be hidden from login page when the a user goes back from the reset credentials page#33254vilmosnagy wants to merge 3 commits intokeycloak:mainfrom
Conversation
cb87194 to
b962b95
Compare
|
Thanks for the PR! FYI if you want to link an issue you can use a keyword to do so. We try to avoid mentioning the issue in the title. I went ahead and edited the issue description to link it up. |
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.webauthn.registration.PolicyJsInjectionTest#relyingPartyIdKeycloak CI - WebAuthn IT (chrome) |
|
@vilmosnagy I haven't had the time to look into your PR yet, but the test failures seem to be related - actually only one test seems to be failing - a registration test. EDIT: sorry, didn't read your description properly - I agree with your proposal to fix the test as described. |
1cd5ec9 to
50b425a
Compare
|
@sguilhen thanks for your feedback, I've pushed the changes I described. As far as I see the failing tests are not connected to this PR (they seem to be js & db related, while I only touched registration-flow related code). Could you please move forward with the review? Thanks |
|
@ahus1 Could you please re-run the CI for this PR? Failures don´t seem related to the changes |
|
@vilmosnagy @ahus1 Yeah, this test has been failing in other PRs, but IIRC it was fixed last week (see #33440). Have you rebased your branch recently? |
|
Rebased just now, let's see what the tests report. |
|
@edewit I thought this duplicate group test was disabled last week, but it seems it is still happening like in this PR. Any ideas what we could do? |
|
@sguilhen I thought it was skipped as well, it seems it's not the case I've added a commit that disables this test to this PR |
|
Is that possible that the failing |
Signed-off-by: Vilmos Nagy <[email protected]>
Signed-off-by: Vilmos Nagy <[email protected]>
…ehaviour Signed-off-by: Vilmos Nagy <[email protected]> # Please enter the commit message for your changes. Lines starting # with '#' will be kept; you may remove them yourself if you want to. # An empty message aborts the commit. # # Date: Sun Oct 6 16:35:19 2024 +0200 # # On branch issue_33204 # Changes to be committed: # modified: testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RegisterTest.java #
bbde983 to
c8fd722
Compare
Yeah, it is likely a flaky one that needs to be looked into |
mposolda
left a comment
There was a problem hiding this comment.
@vilmosnagy Thanks for the PR! I think that the change in the test RegisterTest.testRegisterShouldFailBeforeUserCreationWhenUserIsInContext is OK IMO.
However I have one more scenario I would like to discuss, when user opens link from the email after click "Back". In details:
- User clicks "Forget password" on the login screen
- User chooses the username
john(Nowjohnuseris set in the authenticationSession) and there is email sent to the email address ofjohn - Now user click "Back" and login screen is displayed
- Now user goes to his email and clicks on the link from the email from step (2). Now what happens?
It seems to me that before this PR, user is verified and he is able to reset his password and then he is authenticated.
But can you check what happen after your changes?
I did not check, but I think that after your changes, the user is not verified as he is not anymore in the context of authenticationSession. IMO this change is fine if there is some sensible page displayed to the user like Action expired. Please continue here with the link where user can restart his login and continue from the start. But what is not OK is some unexpected error page like NullPointerException (I did not tried, but I have some suspicion that NPE can happen in AbstractActionTokenHandler.verifyEmail due the user cleared from auth session, but maybe I am wrong :-)
|
|
||
| private void clearUserIfComingFromResetPassword(AuthenticationFlowContext context) { | ||
| if ("true".equals(context.getAuthenticationSession().getAuthNote(RESET_CREDENTIAL_USER_CHOSEN))) { | ||
| context.clearUser(); |
There was a problem hiding this comment.
IMO it will be good to clear the RESET_CREDENTIAL_USER_CHOSEN note as well. Otherwise, during next invocation of this method, the user will be cleared again, which is not feasible.
An alternative and more generic approach might be to move this from UsernamePasswordForm somewhere to the upper layer (AuthenticationProcessor or DefaultAuthenticationFlow) and reset whole authenticationSession (something like AuthenticationPRocessor.resetFlow) when it is detected that flow was changed from reset-credentials back to the browser . However I am not sure if it is easily and reliably possible to detect this?
|
Hi @mposolda, Thanks for your review.
You're probably right—my changes might break the forgot password flow if the user navigates back to the login page before clicking on the email link. One question, though: do we need to show an action expired page in this case? For example, if I start the password reset flow on one device (e.g., mobile) and click the reset password link on another (e.g., desktop), the reset is allowed in the new session. The only difference is:
Would this approach be feasible for you? Just theorizing here, but maybe something like:
Either way: I see your points here, and I'll need a couple of days to write a few more tests. I'll get back to you once those are done. Thanks again, |
|
@vilmosnagy Yes, I think you are right. It will be better user experience if the user is authenticated similarly like in the current Keycloak main instead of displaying The only thing is, in the described scenario, the user might not be anymore in the context of authenticationSession after your changes. So perhaps in that case, it may be OK to add user back to the authenticationSession based on the info from the actionToken? I can see that Anyway, it will be good to add automated test for this scenario and make sure that it works as expected. Thanks a lot for the discussion and for the additional work on handling those cases! |
|
@vilmosnagy Any chance to continue on this PR? |
|
Sorry for the disappearance @mposolda - a newborn just arrived to my household in the past few weeks, and I had a few things to finish at my workplace before that. I'll try to finish this PR by the beginning of the new year - if I won't come back and push my changes to this PR by the 6th of January, then probably I won't be able to finish this in the next months. |
|
@vilmosnagy congratulations :) |
|
@vilmosnagy Sure, take your time. Keeping this PR opened for now. Congratulations! :-) |
|
Closing for now as PR is in the queue for very long time. |
Closes #33204.
Breaks only one test,
RegisterTest::testRegisterShouldFailBeforeUserCreationWhenUserIsInContext, which was added in #23064 (issue #21514) - that test covers basically the same bug (also reported by me). In the previous bug the steps to reproduce was:ResetCredentialChooseUserThe current issue (#33204) I'm having in short is:
My current fix checks whether a user has been set in the context during an attempted (and cancelled) reset credential flow - and if it has been set, then we clear them from the context when loading the login page.
If I modify the failing test (also written by me), would you be willing to merge this? Probably I need to:
RegisterTest::testRegisterShouldFailBeforeUserCreationWhenUserIsInContextone where the login page is skipped entirelycc @ahus1 @sguilhen @mposolda who was involved in the test which fails currently.