I was recording the login flow of our application that uses keycloak to login. I saw that when requesting a token with an authorization code, Keycloak doesn't use a state parameter:
.... POST /auth/realms/myrealm/protocol/openid-connect/token ....
Is there a setting in the Keycloak GUI, where I can make Keycloak using a state parameter together with the authorization code as described in https://auth0.com/docs/secure/attack-protection/state-parameters? Or is there another way to achieve this?
State parameter will be used only in the Authorization code flow between request and response and not further.
Meaning, in the first request you can generate a random value and associate it to state parameter as show below.
http://localhost:8080/auth/realms/REALM1/protocol/openid-connect/auth/?client_id=Client1&state=RandomValue123&redirect_uri=http://localhost:8081...
Note: I have not shown the full authorization url and removed other parameters
Once the user login is successfull the keycloak will respond back to your redirect url with the authorization code and also your state parameter value which was sent above.
http://localhost:8081?code=abc&state=RandonValue123
This ends the usage of state parameter and it's not used in your next access token or refresh token calls.
A simple explanation is that you have some relation between your first auth call and response from keycloak, more detailed explanation can be found here -> What is the purpose of the 'state' parameter in OAuth authorization request
The state parameter is created by the party initializing the login, and then Keycloak should give back the same state parameter after finalizing its credentials validation. All of this is just before exchanging the code for an access_token.
