[keycloak-dev] Provide a Link to go Back to The Application on a Timeout

Marek Posolda mposolda at redhat.com
Tue May 23 03:56:38 EDT 2017

On 19/05/17 09:19, Stian Thorgersen wrote:
> I don't like option 3. It's rather unlikely that's the app folks 
> actually want to go to in this case.
> I don't think option 1 is a full solution either. KC_RESTART cookie 
> may be missing as you say, but it could also be overwritten by another 
> client login.
> Can't we do option 2 in the code that redirects to the next step in 
> the flow? That way it's always there. We should also add to action 
> tokens so an invalid action token page can also display a link back to 
> the app.
Ok, so I've used the option 2 and added the "client_id" parameter to the 
links. Now error page should always contain "Back to application" link 
even if cookies are expired etc. Action tokens, brokering etc are 
covered too.

> On 17 May 2017 at 11:36, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>     We have the issue that after session timeout, the page "An error
>     occurred, please login again through your application." can be shown.
>     This is even worse when there is no link to go back to the application
>     as users might be confused what to do. Details in
>     https://issues.jboss.org/browse/KEYCLOAK-4016
>     <https://issues.jboss.org/browse/KEYCLOAK-4016> .
>     This is already handled in many cases as when authentication
>     session is
>     expired, it is always restarted from the KC_RESTART cookie.
>     However there are still cases when this error is shown, which is when
>     the restart from the cookie failed. This can happen when browser
>     history
>     (including cookies) was cleared or when user restarted the browser (as
>     the KC_RESTART cookie is not persistent).
>     Some possibilities to solve:
>     1) Make the KC_RESTART cookie persistent. That will handle browser
>     restart, however it won't handle the case when browser history is
>     deleted
>     2) Add client-id to every link as Stefan Baust suggested. Then we can
>     add the link to client base uri on the page. This is more work
>     with the
>     possibility of error-prone if we miss to add the client-id to some
>     link.
>     Also we will be able to provide the link just if client has "base-uri"
>     configured.
>     3) Add the link to the account management application page. After
>     successful login will be shown list of applications in account
>     management and user can click to his favourite application. Message
>     would need to be changed to something like "An error occurred, please
>     login again through your application or go to the <link>list of
>     applications<link> and select your application after login."
>     My preference is 3, 2, 1. WDYT? Any other ideas?
>     Thanks,
>     Marek
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>

More information about the keycloak-dev mailing list