Details
diff --git a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
index b51c993..b211aef 100755
--- a/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
+++ b/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java
@@ -52,7 +52,7 @@ public class AccessTokenResponse {
@JsonProperty("not-before-policy")
protected int notBeforePolicy;
- @JsonProperty("session-state")
+ @JsonProperty("session_state")
protected String sessionState;
protected Map<String, Object> otherClaims = new HashMap<String, Object>();
diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml b/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml
index cfc774b..31ba14e 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/direct-access.xml
@@ -73,7 +73,7 @@ Pragma: no-cache
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
- "session-state":"234234-234234-234234"
+ "session_state":"234234-234234-234234"
}]]>
</programlisting>
</para>
diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
index 46fa368..afce17a 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@@ -122,6 +122,13 @@
</para>
</simplesect>
<simplesect>
+ <title>Session state parameter in authentication response renamed</title>
+ <para>
+ In the OpenID Connect authentication response we used to return the session state as <literal>session-state</literal> this is not
+ correct according to the specification and has been renamed to <literal>session_state</literal>.
+ </para>
+ </simplesect>
+ <simplesect>
<title>Deprecated OpenID Connect endpoints</title>
<para>
In 1.2 we deprecated a number of endpoints that where not consistent with the OpenID Connect
diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml b/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml
index 654341b..9e3e4ef 100644
--- a/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/service-accounts.xml
@@ -61,7 +61,7 @@ Pragma: no-cache
"refresh_expires_in":600,
"id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"not-before-policy":0,
- "session-state":"234234-234234-234234"
+ "session_state":"234234-234234-234234"
}]]>
</programlisting>
</para>
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
index 1b56033..8bef72e 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
@@ -163,7 +163,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
if (responseType.hasResponseType(OIDCResponseType.TOKEN)) {
redirectUri.addParam("access_token", res.getToken());
redirectUri.addParam("token_type", res.getTokenType());
- redirectUri.addParam("session-state", res.getSessionState());
+ redirectUri.addParam("session_state", res.getSessionState());
redirectUri.addParam("expires_in", String.valueOf(res.getExpiresIn()));
}
