Invalid control character in SSO cookie

In our current setup, we use an external database through user federation, for querying users, checking passwords and creating/removing new users. For this we have implemented our own service provider (UserStorageProvider, UserLookupProvider, CredentialInputValidator, CredentialInputUpdater, UserRegistrationProvider)

Login and user registration is accomplished through a Keycloak theme and data is handled by the service provider, which sends the data to an external database.

When a user decides to create an account where the username for example contains a “foreign character” like Ø, Ö, or Ä, the user is correctly registered in the external database, but any further requests to Keycloak, from the browser that contains the newly issue SSO cookie, will cause an internal server error in Keycloak.

It is not even possible to logout, since that operation uses the SSO cookie.

The error thrown in Keycloak:
java.lang.IllegalArgumentException: UT000173: An invalid control character [239] was present in the cookie value or attribute

Inspecting the cookie in Firefox and you can see the encoding problem with these characters.

I understand that the user id has the following format:
"f:" + component id + “:” + external id
Where external id defaults to the username that the user enters when registering.

Unless there’s a simple solution to my problem, I would instead like to sidestep the problem with invalid characters and to provide a customized identifier for the external id. I would like this customized identifier to be provided by the external database.
Currently the request is for “create account” is sent to the external database as the final step in the Keycloak transaction (uses session.getTransactionManager().enlistAfterCompletion).

Is it possible to change the external/storage id at this final step in the register flow? Or can I provide an external id to use in the storage id in an early step of the register flow?

Hi @Casperbart, we have noticed a similar issue with Keycloak’s REMEMBER_ME cookies.

Keycloak does not correctly escape cookie values, which eventually leads to undertow rejecting those cookies. Possibly it has to be fixed in Keycloak in a similar manner as here:

Hope that helps!