[keycloak-dev] Automatic logout from KC admin console for non-authorized users

Stian Thorgersen stian at redhat.com
Tue Feb 3 04:15:07 EST 2015 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 3 February, 2015 10:05:19 AM
> Subject: [keycloak-dev] Automatic logout from KC admin console for	non-authorized users
> 
> Right now, when user goes to keycloak admin console and he doesn't have
> access (any admin roles assigned), he is logged out automatically. It's
> done by "whoami" endpoint, which returns 401 in this case.

+1000 Logging-out the user is just plain stupid, cant' believe we do that

> 
> Shouldn't we instead just display some notification like "Forbidden, you
> don't have access" instead of automatically logout user?
> 
> My point is links between various admin consoles. For example when user
> is logged in hawtio admin console and he click on link to Keycloak admin
> console. But when he don't have access, he is logged out automatically,
> which does SSO logout and logout him also from hawtio. To me it looks
> like bit confusing behaviour tbh.
> 
> Also do we have plan to add support for referrer in KC admin console
> similarly like account mgmt has?

I don't think referrer is the correct approach. What about if we add a feature to Keycloak that lets you retrieve all applications a user has access to (where a user has at least one role?) and that has a base url configured for it (maybe this should be changed to default page). Then we can use this information to add an application switcher to all consoles (like Google has, see attachment). This is probably something we should discuss with Management .Next guys though ;)

> 
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-switcher.png
Type: image/png
Size: 25938 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150203/e3302abb/attachment-0001.png

More information about the keycloak-dev mailing list