From 2c43d8f0ce1829fb89612dbb9ed8847200af8408 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Thu, 26 Mar 2026 09:03:23 +0100
Subject: [PATCH] fix: forcer session save et retry automatique pour SSO
 invalid state

Sauvegarde explicite de la session avant la redirection OAuth pour
garantir la persistance du state parameter. Retry automatique du
flow SSO en cas d'InvalidStateAuthenticationException.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Controller/EtlController.php          | 4 +++-
 src/Controller/HomeController.php         | 4 +++-
 src/Security/EtlKeycloakAuthenticator.php | 5 +++++
 src/Security/KeycloakAuthenticator.php    | 5 +++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/Controller/EtlController.php b/src/Controller/EtlController.php
index 7713b47..ba5290f 100644
--- a/src/Controller/EtlController.php
+++ b/src/Controller/EtlController.php
@@ -1077,7 +1077,7 @@ class EtlController extends AbstractController
     }
 
     #[Route('/etl/connect/keycloak', name: 'connect_keycloak_etl_start')]
-    public function connectKeycloakEtlStart(ClientRegistry $clientRegistry): Response
+    public function connectKeycloakEtlStart(ClientRegistry $clientRegistry, Request $request): Response
     {
         $response = $clientRegistry
             ->getClient('keycloak_etl')
@@ -1085,6 +1085,8 @@ class EtlController extends AbstractController
         $response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate');
         $response->headers->set('Pragma', 'no-cache');
 
+        $request->getSession()->save();
+
         return $response;
     }
 
diff --git a/src/Controller/HomeController.php b/src/Controller/HomeController.php
index c9fc95b..805014f 100644
--- a/src/Controller/HomeController.php
+++ b/src/Controller/HomeController.php
@@ -26,7 +26,7 @@ class HomeController extends AbstractController
 {
 
     #[Route('/intranet/connect/keycloak', name: 'connect_keycloak_start')]
-    public function connect(ClientRegistry $clientRegistry): Response
+    public function connect(ClientRegistry $clientRegistry, Request $request): Response
     {
         $response = $clientRegistry
             ->getClient('keycloak')
@@ -34,6 +34,8 @@ class HomeController extends AbstractController
         $response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate');
         $response->headers->set('Pragma', 'no-cache');
 
+        $request->getSession()->save();
+
         return $response;
     }
 
diff --git a/src/Security/EtlKeycloakAuthenticator.php b/src/Security/EtlKeycloakAuthenticator.php
index 875d003..310683d 100644
--- a/src/Security/EtlKeycloakAuthenticator.php
+++ b/src/Security/EtlKeycloakAuthenticator.php
@@ -17,6 +17,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Uid\Uuid;
+use KnpU\OAuth2ClientBundle\Security\Exception\InvalidStateAuthenticationException;
 
 class EtlKeycloakAuthenticator extends OAuth2Authenticator implements AuthenticationEntryPointInterface
 {
@@ -89,6 +90,10 @@ class EtlKeycloakAuthenticator extends OAuth2Authenticator implements Authentica
 
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
+        if ($exception instanceof InvalidStateAuthenticationException) {
+            return new RedirectResponse($this->router->generate('connect_keycloak_etl_start'));
+        }
+
         $message = strtr($exception->getMessageKey(), $exception->getMessageData());
         return new Response($message, Response::HTTP_FORBIDDEN);
     }
diff --git a/src/Security/KeycloakAuthenticator.php b/src/Security/KeycloakAuthenticator.php
index 72f35ab..5729847 100644
--- a/src/Security/KeycloakAuthenticator.php
+++ b/src/Security/KeycloakAuthenticator.php
@@ -18,6 +18,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Uid\Uuid;
+use KnpU\OAuth2ClientBundle\Security\Exception\InvalidStateAuthenticationException;
 
 class KeycloakAuthenticator extends OAuth2Authenticator implements AuthenticationEntryPointInterface
 {
@@ -91,6 +92,10 @@ class KeycloakAuthenticator extends OAuth2Authenticator implements Authenticatio
 
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
+        if ($exception instanceof InvalidStateAuthenticationException) {
+            return new RedirectResponse($this->router->generate('connect_keycloak_start'));
+        }
+
         $message = strtr($exception->getMessageKey(), $exception->getMessageData());
         return new Response($message, Response::HTTP_FORBIDDEN);
     }