Open paxlo opened 1 month ago
Hi @paxlo!
I cannot reproduce it. I have configured your flow in keycloak 26 (but without the Identity Provider Redirector) and it works OK for me. It works the first time (when doing the login using username and password) and in subsequent tries. Obviously I have not tested with sonarqube but with the keycloak account console and a local java saml application. I have tested with a browser in incognito mode so it was clean at the beginning. Besides I don't know what you mean with corporate cookies.
You can show more information of the flow execution adding trace to the authentication category --log-level INFO,org.keycloak.authentication:TRACE
. We need more information to manage this issue.
Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.
Please provide additional details, otherwise this issue will be automatically closed within 14 days.
Before reporting an issue
Area
core
Describe the bug
There is the following authentication flow for a SAML client (for SonarQube in my example). The idea for the flow was taken from here and works correctly, but only in a browser containing corporate cookies.
The client:
If I use any other browser without any cookies, I can login to sonarqube once (even if my user not in sonar-users group!) going through the authentication process of the corporate account. After logging out of SQ I can no longer login as expected behavior.
Version
25.0.2
Regression
Expected behavior
A user who is not a member of a group should not be allowed to login from a clean browser
Actual behavior
A user who is not a member of the group can access the service from a clean browser once (until logout).
How to Reproduce?
Anything else?
No response