[keycloak-dev] Alternative flows on Browser refresh

Stian Thorgersen sthorger at redhat.com
Mon Nov 27 06:39:14 EST 2017 

Option 1 should be done for sure.

Option 2 I think we should do. Shouldn't be to hard to have some sort of
flag in the authentication session to mark if something has happened or not?

Option 3 we could consider in the future, but I would do it with a link on
the forms with something like "Login as a different users" or something to
indicate to the user that they want to start from scratch again.

On 24 November 2017 at 15:03, Marek Posolda <mposolda at redhat.com> wrote:

> I am not sure when exactly we want to retry the alternative
> authenticators like kerberos or X509? The possibilities are:
>
> 1) When user opens the secured application URL (which will redirect him
> to Keycloak initial OIDC/SAML Authorization endpoint)
> 2) When user press browser "refresh" on username/password screen
> 3) When user press browser "refresh" on TOTP (or any possible additional
> authenticator screen after username/password was already SUCCESS)
>
> I wouldn't do 3. It would be likely complicated to implement when
> thinking various corner cases (browser back/refresh/forward buttons,
> authenticator state etc). And usability also won't help much IMO...
>
> 1 will be easier to implement. Is it sufficient or do we want also 2?
> The 2 is possible but maybe harder to do, we will need to track whether
> there was some successful action OR whether some authenticator is
> already in state SUCCESS.
>
> Marek
>
>
> Dne 23.11.2017 v 12:15 Bruno Oliveira napsal(a):
> > Good morning,
> >
> > For alternative flows like X509 browser, if something goes wrong
> > it will fall back to username/password form, as we already know.
> > But the flow is not executed again until the browser is closed.
> >
> > Based on what Stian commented[1], seems like the same applies to
> > Kerberos. To fix this, we need to change the way how it works today,
> > by going through the list of all alternative flows on refresh,
> > executing them again.
> >
> > Does it make sense? Should we have Jira as "enhancement" for this?
> >
> > [1] - https://issues.jboss.org/browse/KEYCLOAK-5466
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list