Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

Currently a page-expired error page is shown when using the browser back-button on the forgot password page after trying to login with invalid credentials.

Version

23.0.1

Expected behavior

When clicking the browser back-button the normal login page should be shown.

Actual behavior

Currently a page-expired error page is shown.

How to Reproduce?

Currently a page-expired error page is shown when performing the following:

1. Open login page
2. Enter the username of an existing user with an invalid password and click login
3. Click forgot password
4. Use browser back-button

You should now see a page expired error.

Anything else?

Problem seems to be that the current execution id get's changed during the forgot password execution. Since the old execution is still available in the getExecutionStatus() map as "CHALLENGED" we could just try to match it, and if found could allow the page refresh, without the error.

I think this can be solved by changing the code here: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java#L258

From:

if (execution == null || execution.equals(lastExecFromSession)) {

To:

if (execution == null || execution.equals(lastExecFromSession) || CommonClientSessionModel.ExecutionStatus.CHALLENGED.equals(authSession.getExecutionStatus().get(execution))) {

With this fix, I get the "correct" bahaviour.