4

In my application, user management is done through Keycloak. While testing my application end-to-end through Cypress, I came across an issue. When I sign up a user, it gives the following error:

We're sorry. An error has occurred, please login again through your application.

Cypress is adding something to a generated URL after I click the submit button, which is causing this issue. The same scenario tested through Protractor ran fine. I have noticed Cypress is appending session_code to the request URL. While doing manual testing, I don't get session_code.

Below is the URL generated through Cypress:

.../login-actions/registration?session_code=LsZbmsVVLwEH9s-xwFJ2JdDtaCu1_xzqAGOQCpjxGJI&execution=06fac3bb-fb19-474b-8659-2572586ae371&client_id=web_app&tab_id=PSlmfgdv0ls

Where as a manually generated URL is like following:

.../login-actions/registration?client_id=web_app&tab_id=PSlmfgdv0ls

My application backend is Spring Boot and the front-end is in React and Next.js.

It would be really helpful if anyone could guide us through this issue. Please let me know if you need more information about our application.

jacefarm
  • 6,747
  • 6
  • 36
  • 46
Wajeeha Ahmed
  • 41
  • 1
  • 3

1 Answers1

0

The Keycloak Authenticator documentation explains that the authenticate method checks the current HTTP request to determine if authentication requirements have been satisfied, and, if not, a challenge response is sent back. If the challenge response itself is authentication, then you'll see a URL with the session_code parameter.

It goes on to say that session_code, in the first URL example, pertains to the code generated from AuthenticationFlowContext.generateAccessCode(), which further explains:

String generateAccessCode()

Generates access code and updates clientsession timestamp. Access codes must be included in form action callbacks as a query parameter.

However, the "manually" generated URL, that does not include the session_code parameter, seems to indicate that the initial registration of the client has been successful and a client configuration endpoint is being used to make a GET request - a client read request - and all is well. Everything works fine.

Therefore, it seems that Cypress is being sent a challenge response (and potentially exposing a security flaw in your application). Possible reasons for this might be further explained within Cypress's documentation on Web Security.

Common Workarounds might provide you with a remedy, or, if all else fails, you might try Disabling Web Security for testing purposes as well.

Community
  • 1
  • 1
jacefarm
  • 6,747
  • 6
  • 36
  • 46