[keycloak-dev] Provide a Link to go Back to The Application on a Timeout

Marek Posolda mposolda at redhat.com
Thu May 18 02:38:31 EDT 2017 

On 18/05/17 03:26, luke at anotherrobbo.com wrote:
> For what it's worth, option 3 is similar to what we have implemented
> in our theme's error.ftl.
>
> Our main use case was for expired email confirmation / password reset
> links (we'd really like to see something done with
> https://issues.jboss.org/browse/KEYCLOAK-3631 so we can increase our
> limits past the SSO idle time but that's another issue!)
Good news for you. We introduced action tokens recently and it's in 
latest master. This introduces separate timeout for admin actions (among 
other things). In other words, your use-case from KEYCLOAK-3631 should 
be already possible with latest master and will be in 3.2.0 release.
>
> We've hardcoded the url (${msg("attemptLogin", "/auth/realms/" +
> realm.name + "/account/applications")}), it would certainly be nice to
> have a better way of doing this so the theme doesn't need to know the
> URL?
Yes, we already have URLBean, which is used to abstracts the URL 
creation logic from the freemarker template itself.

Marek
>
> Cheers,
>
> Luke
>
> Quoting Marek Posolda <mposolda at redhat.com>:
>
>> Maybe yes.
>>
>> There is also the case when the link of login page can be copy/pasted
>> somehow and opened in new browser. The KC_RESTART cookie then also won't
>> be visible. But this really looks like corner case...
>>
>> Maybe we can have the combination of 1 and 3? Have the cookie persistent
>> and show the page with account management link just if KC_RESTART cookie
>> is really unavailable.
>>
>> Marek
>>
>> On 17/05/17 15:09, Schuster Sebastian (INST/ESY1) wrote:
>>> Wouldn't 1) be a good option as browser restarts are the vast
>>> majority compared to history deletion?
>>> Even our very restrictive company directives don't clear the
>>> browser history on exit while messing around
>>> with a lot of my other browser settings...
>>>
>>> Best regards,
>>> Sebastian
>>>
>>> Mit freundlichen Grüßen / Best regards
>>>
>>>    Sebastian Schuster
>>>
>>> Engineering and Support (INST/ESY1)
>>> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785
>>> Berlin | GERMANY | www.bosch-si.com
>>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>>> Sebastian.Schuster at bosch-si.com
>>>
>>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>>> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>>>
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-
>>>> bounces at lists.jboss.org] On Behalf Of Marek Posolda
>>>> Sent: Mittwoch, 17. Mai 2017 11:36
>>>> To: keycloak-dev at lists.jboss.org
>>>> Subject: [keycloak-dev] Provide a Link to go Back to The
>>>> Application on a Timeout
>>>>
>>>> We have the issue that after session timeout, the page "An error
>>>> occurred, please
>>>> login again through your application." can be shown.
>>>> This is even worse when there is no link to go back to the
>>>> application as users
>>>> might be confused what to do. Details in
>>>> https://issues.jboss.org/browse/KEYCLOAK-4016 .
>>>>
>>>> This is already handled in many cases as when authentication
>>>> session is expired, it
>>>> is always restarted from the KC_RESTART cookie.
>>>>
>>>> However there are still cases when this error is shown, which is
>>>> when the restart
>>>> from the cookie failed. This can happen when browser history
>>>> (including cookies)
>>>> was cleared or when user restarted the browser (as the KC_RESTART
>>>> cookie is not
>>>> persistent).
>>>>
>>>> Some possibilities to solve:
>>>> 1) Make the KC_RESTART cookie persistent. That will handle browser restart,
>>>> however it won't handle the case when browser history is deleted
>>>>
>>>> 2) Add client-id to every link as Stefan Baust suggested. Then we
>>>> can add the link
>>>> to client base uri on the page. This is more work with the
>>>> possibility of error-prone
>>>> if we miss to add the client-id to some link.
>>>> Also we will be able to provide the link just if client has "base-uri"
>>>> configured.
>>>>
>>>> 3) Add the link to the account management application page. After
>>>> successful
>>>> login will be shown list of applications in account management and
>>>> user can click
>>>> to his favourite application. Message would need to be changed to
>>>> something like
>>>> "An error occurred, please login again through your application or
>>>> go to the
>>>> <link>list of applications<link> and select your application after login."
>>>>
>>>> My preference is 3, 2, 1. WDYT? Any other ideas?
>>>>
>>>> Thanks,
>>>> Marek
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list