Keycloak Credential Reset and RootAuthenticationSessionRemoval

[Andre]

Hi everyone,

when creating a new user in a keycloak (I am on 26.3.2) realm we use the "Credential Reset" function in the users credentials tab to send the user a message with a required action "Update Password" (expiry: 12h).

So far so good, the user receives an email, clicks on the button and gets asked to update the password; adds a new password an clicks on "Continue" at

Finished
Your account was updated successfully.
Continue. 

He is then presented with the following error:

Something went wrong

Restart login cookie not found. It may have expired; it may have been deleted or cookies are disabled in your browser. If cookies are disabled then enable them. Click Back to Application to login again.

I tracked this down to the org.keycloak.services.resources.SessionCodeChecks getting the cookie in initialVerifyAuthSession:

AuthenticationSessionModel authSessionCookie = authSessionManager.getCurrentAuthenticationSession(realm, client, tabId);

Now when going further in I see the AUTH_SESSION cookie is found, validated, correctly signed etc; where it fails is:

org.keycloak.services.managers.AuthenticationSessionManager.getAuthSessionCookies(RealmModel)

...

RootAuthenticationSessionModel rootAuthenticationSession = session.authenticationSessions().getRootAuthenticationSession(realm, decodedAuthSessionId);
        return rootAuthenticationSession != null ? oldEncodedId : null;

the rootAuthenticationSession is always null in that case - regardless if I try this within one minute or an our after receiving the email.

Now when the user tries to use the password/login etc everything works fine.

Any ideas/help is greatly appreciated!