<div dir="ltr">I think a) is ok, but not the ideal.<div><br></div><div>b) however is problematic IMO. In the case of required actions, why not just display the next required action associated with the user? That would be the equivalent of a.</div><div><br></div><div>There's also another bug related to this which is that if you try to change the language on a page in the middle of the auth flow it blows up.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 14 October 2015 at 18:58, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've been looking into a couple of "browser refresh" bugs. Currently,<br>
if an HTTP request to the auth flow spi did not match the state of the<br>
client session you would<br>
<br>
a) have the flow reset if you were currently in the process of<br>
authenticating<br>
b) Show an error screen if you aren't currently authenticating (i.e.<br>
performing required actions)<br>
<br>
Now I remember why I did it this way. It is impossible to detect the<br>
difference between a browser refresh and somebody hitting the back<br>
button and resubmitting a previous form. Hitting "browser refresh" will<br>
resubmit any previous form POST. So, you have no idea if the user is<br>
refreshing the current page or resubmitting after a browser back button.<br>
<br>
So, I think it is best to keep things the way it is now. Thoughts?<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div>