KeyCloak Integration with Azure ADB2C - Missing State Parameter

Question

I’ve integrated “KeyCloak” (identity broker) with Azure ADB2C for authenticating a user.

Firstly, the user ADB2C Login user flow endpoint integrated with Keycloak and tested it, which is absolutely fine. Also, we have integrated B2C “Forgot Password” userflow endpoint with Keycloak, Upon successful Forgot Password completion in B2C, while redirecting the response back to the keycloak we are seeing an error response from the Keycloak screen as - “Missing State Parameter in Response From Identity Provider”

In the request url has Scope, Client_id, State, Response_type, Redirect_URI, nonce. But in the B2C response url contains “Client_ID”, response_type, scope and redirect_Uri.

So far, unable to find a way to handle this issue. Please suggest, if there is any approach to handle this issue either from the ADB2C or Key-Cloak.

“ADB2C- Implemented with OAuth standard authentication protocol”

Keycloak error page code:- “Missing State Parameter In Response from Identity Provider”

Thank you.

In the request URL to AAD B2C forgot password endpoint, is Keycloak passing the state parameter? — Jas Suri - MSFT, Dec 07 '21 at 10:02
Yes, there is a state param presented in the request url coming from keycloak to B2C. — CloudSpace03, Dec 07 '21 at 16:22
Hi Jas Suri. Just want to check if there any alternate approache to handle this scenarios from ADB2C or Keycloak. Thanks! — CloudSpace03, Dec 07 '21 at 22:10
B2C should always pass a state param back if you send it one. Double check the network trace to see what’s happening. — Jas Suri - MSFT, Dec 08 '21 at 08:25

score 0 · Answer 1 · answered Dec 10 '21 at 12:23

• The ‘state’ parameter is used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery attacks. In your case, the keycloak identity broker service is the authorization service while Azure AD B2C is the client.

• And since, the state parameter is missing in the response URL from Azure AD B2C, it might be the case that redirect URIs for the keycloak identity broker or the application may not be correctly configured in Azure AD B2C due to which keycloak throws an error of state parameter missing.

• Keycloak might have considered this response as a CSRF attack due to the missing state parameter and thus displayed an error whereas in Azure AD B2C, the redirection URI relating to specific keycloak page might not be correctly configured due to which though the response reached keycloak default URI but not the intended application integrated URI due to which the state parameter might be missing.

Please refer the below documentation links regarding CSRF and state parameter configuration as well as redirection URI in Azure AD B2C: -

https://datatracker.ietf.org/doc/html/rfc6749#section-10.12

https://learn.microsoft.com/en-us/azure/active-directory/develop/reply-url

KeyCloak Integration with Azure ADB2C - Missing State Parameter

1 Answers1