[keycloak-dev] Provide a Link to go Back to The Application on a Timeout

Marek Posolda mposolda at redhat.com
Wed May 17 09:29:05 EDT 2017

Maybe yes.

There is also the case when the link of login page can be copy/pasted 
somehow and opened in new browser. The KC_RESTART cookie then also won't 
be visible. But this really looks like corner case...

Maybe we can have the combination of 1 and 3? Have the cookie persistent 
and show the page with account management link just if KC_RESTART cookie 
is really unavailable.


On 17/05/17 15:09, Schuster Sebastian (INST/ESY1) wrote:
> Wouldn't 1) be a good option as browser restarts are the vast majority compared to history deletion?
> Even our very restrictive company directives don't clear the browser history on exit while messing around
> with a lot of my other browser settings...
> Best regards,
> Sebastian
> Mit freundlichen Grüßen / Best regards
>   Sebastian Schuster
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>> -----Original Message-----
>> From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-
>> bounces at lists.jboss.org] On Behalf Of Marek Posolda
>> Sent: Mittwoch, 17. Mai 2017 11:36
>> To: keycloak-dev at lists.jboss.org
>> Subject: [keycloak-dev] Provide a Link to go Back to The Application on a Timeout
>> We have the issue that after session timeout, the page "An error occurred, please
>> login again through your application." can be shown.
>> This is even worse when there is no link to go back to the application as users
>> might be confused what to do. Details in
>> https://issues.jboss.org/browse/KEYCLOAK-4016 .
>> This is already handled in many cases as when authentication session is expired, it
>> is always restarted from the KC_RESTART cookie.
>> However there are still cases when this error is shown, which is when the restart
>> from the cookie failed. This can happen when browser history (including cookies)
>> was cleared or when user restarted the browser (as the KC_RESTART cookie is not
>> persistent).
>> Some possibilities to solve:
>> 1) Make the KC_RESTART cookie persistent. That will handle browser restart,
>> however it won't handle the case when browser history is deleted
>> 2) Add client-id to every link as Stefan Baust suggested. Then we can add the link
>> to client base uri on the page. This is more work with the possibility of error-prone
>> if we miss to add the client-id to some link.
>> Also we will be able to provide the link just if client has "base-uri"
>> configured.
>> 3) Add the link to the account management application page. After successful
>> login will be shown list of applications in account management and user can click
>> to his favourite application. Message would need to be changed to something like
>> "An error occurred, please login again through your application or go to the
>> <link>list of applications<link> and select your application after login."
>> My preference is 3, 2, 1. WDYT? Any other ideas?
>> Thanks,
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list