[keycloak-dev] changes to browser-based flows

Bill Burke bburke at redhat.com
Fri Oct 16 10:39:19 EDT 2015 

FYI:  Not important if you are uninterested in design.

Prior to my last commit if you hit the browser refresh button you would 
either have had the authentication flow completely reset or received an 
error page.  Also, changing the local on some required actions pages 
would end up in an error condition.

So...To fix this I made some changes to browser based flows:

* After any successful action processing (i.e. a form POST), the browser 
is sent a 302 redirect to a "safer" page.  If you are in the 
authentication phase, then this redirect will be to 
/authenticate?code={code}, registration /register?code={code}, reset 
credentials /reset-credentials?code={code}, required actions 
/required-action?code={code}.  When these URIs are executed, Keycloak 
will figure out where the user is in the flow and render things 
appropriately.
* After authentication, the browser will be 302 redirected to 
/required-action?code={code}

The reason for these changes is to support when the user clicks the 
browser refresh button.  The refresh button will resubmit the previous 
request.  Prior to this change there were issues with this.  For 
example, previously, if there was a required action and you just logged 
in via username and password, the URI in the browser would still point 
to the username/password page even though the required action page was 
being rendered.  If the refresh button was hit, the previous username 
password POST would be resent to the username/password page, Keycloak 
would say "WTF are you doing?!?" and abort.  There were similar issues 
like this everywhere.

Other things effected by this fix:
* required actions no longer change the ACTION_KEY or the 
ClientSessionModel.getAction().
* ClientSessionModel.getAction() will either be AUTHENTICATION, 
REQUIRED_ACTIONS, EXECUTE_ACTIONS, LOGGED_OUT, or OAUTH_GRANT.
* After authentication, the flow manager will change the action from 
AUTHENTICATION to REQUIRED_ACTIONS.

Overall, this is less performant as there are additional HTTP redirect 
requests being thrown in, but should provide a better user experience.




-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list