[keycloak-dev] Provide a Link to go Back to The Application on a Timeout

Marek Posolda mposolda at redhat.com
Fri May 19 04:01:39 EDT 2017

On 19/05/17 09:19, Stian Thorgersen wrote:
> I don't like option 3. It's rather unlikely that's the app folks 
> actually want to go to in this case.
> I don't think option 1 is a full solution either. KC_RESTART cookie 
> may be missing as you say, but it could also be overwritten by another 
> client login.
I've figured another reason why it won't work that after restarted login 
is finished and you're redirected back to the app, the application would 
reject it due to incorrect oauth "state" . Was thinking about adding 
separate cookie just with client_id, but links are always more reliable 
then cookies though. So I will try option 2. Hopefully there is not so 
much places where this needs to be changed. Will try to handle in action 
tokens as well.


> Can't we do option 2 in the code that redirects to the next step in 
> the flow? That way it's always there. We should also add to action 
> tokens so an invalid action token page can also display a link back to 
> the app.
> On 17 May 2017 at 11:36, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>     We have the issue that after session timeout, the page "An error
>     occurred, please login again through your application." can be shown.
>     This is even worse when there is no link to go back to the application
>     as users might be confused what to do. Details in
>     https://issues.jboss.org/browse/KEYCLOAK-4016
>     <https://issues.jboss.org/browse/KEYCLOAK-4016> .
>     This is already handled in many cases as when authentication
>     session is
>     expired, it is always restarted from the KC_RESTART cookie.
>     However there are still cases when this error is shown, which is when
>     the restart from the cookie failed. This can happen when browser
>     history
>     (including cookies) was cleared or when user restarted the browser (as
>     the KC_RESTART cookie is not persistent).
>     Some possibilities to solve:
>     1) Make the KC_RESTART cookie persistent. That will handle browser
>     restart, however it won't handle the case when browser history is
>     deleted
>     2) Add client-id to every link as Stefan Baust suggested. Then we can
>     add the link to client base uri on the page. This is more work
>     with the
>     possibility of error-prone if we miss to add the client-id to some
>     link.
>     Also we will be able to provide the link just if client has "base-uri"
>     configured.
>     3) Add the link to the account management application page. After
>     successful login will be shown list of applications in account
>     management and user can click to his favourite application. Message
>     would need to be changed to something like "An error occurred, please
>     login again through your application or go to the <link>list of
>     applications<link> and select your application after login."
>     My preference is 3, 2, 1. WDYT? Any other ideas?
>     Thanks,
>     Marek
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>

More information about the keycloak-dev mailing list