admin/ludikevent_crm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent HTTP cache from storing OAuth state redirects

Browse Source 
Add Cache-Control: no-store headers to Keycloak OAuth start routes so the
HTTP kernel cache never caches the redirect-with-state response, which
caused "Invalid state parameter" errors on subsequent logins.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-03-10 09:11:16 +01:00
parent 51a4f83833
commit 3c7f035f7a
2 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Controller/EtlController.php
View File

@@ -1077,11 +1077,15 @@ class EtlController extends AbstractController
}
#[Route('/etl/connect/keycloak', name: 'connect_keycloak_etl_start')]
public function connectKeycloakEtlStart(ClientRegistry $clientRegistry): RedirectResponse
public function connectKeycloakEtlStart(ClientRegistry $clientRegistry): Response
{
return $clientRegistry
$response = $clientRegistry
->getClient('keycloak_etl')
->redirect(['openid', 'profile', 'email']);
$response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate');
$response->headers->set('Pragma', 'no-cache');
return $response;
}
#[Route('/etl/oauth/sso', name: 'connect_keycloak_etl_check')]

12
src/Controller/HomeController.php
View File

@@ -26,19 +26,23 @@ class HomeController extends AbstractController
{
#[Route('/intranet/connect/keycloak', name: 'connect_keycloak_start')]
public function connect(ClientRegistry $clientRegistry)
public function connect(ClientRegistry $clientRegistry): Response
{
// Redirects to Keycloak
return $clientRegistry
$response = $clientRegistry
->getClient('keycloak')
->redirect(['email', 'profile', 'openid'], []);
$response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate');
$response->headers->set('Pragma', 'no-cache');
return $response;
}
#[Route('/intranet/oauth/sso', name: 'connect_keycloak_check')]
public function connectCheck(Request $request)
public function connectCheck(Request $request): Response
{
// This method stays empty; the authenticator will intercept it!
return new Response();
}
#[Route(path: '/intranet', name: 'app_home', options: ['sitemap' => false], methods: ['GET','POST'])]
public function index(AuthenticationUtils $authenticationUtils): Response