<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    We just can't support back button at this time and not until
    sometime in 2.0.  I'm hoping we can at least "disable" it by turning
    off the cache.  The way it will work is back button causes an HTTP
    request with old URL and parameters, Keycloak will just see its old
    and redirect to the current step in the flow.<br>
    <br>
    <div class="moz-cite-prefix">On 1/22/2016 9:40 AM, Libor Krzyzanek
      wrote:<br>
    </div>
    <blockquote
      cite="mid:CFC9ED2D-7C92-4EE2-946F-15979D10E92F@redhat.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      Just read the discussion so let me clarify few things.
      <div class=""><br class="">
      </div>
      <div class="">Redirects</div>
      <div class="">I’m fine with one redirect after POST. But it needs
        to be <b class="">one</b> redirect not 3. I was complaining
        about 3 additional redirects after hitting “LOGIN” button.</div>
      <div class="">In apps that I’m author (e.g. <a
          moz-do-not-send="true" href="http://planet.jboss.org" class="">planet.jboss.org</a>)
        I exactly use that pattern - after HTTP POST server returns 302
        redirect to another page which helps with a) refresh button
        problem, b) browser back button problem.</div>
      <div class=""><br class="">
      </div>
      <div class="">Back button:</div>
      <div class="">From UX perspective the back button must work.
        Everybody use it. On Mac/iPad users are used to use gesture. I
        use it everywhere.</div>
      <div class="">Personally when I come to some site which is trying
        to force me to use back button on page instead of back button in
        browser I always feels like using website written 5 years ago.</div>
      <div class=""><br class="">
      </div>
      <div class="">Other comments inline.</div>
      <div class=""><br class="">
      </div>
      <div class="">Thanks,</div>
      <div class=""><br class="">
      </div>
      <div class="">
        <div class="">
          Libor Krzyžanek<br class="">
          <a moz-do-not-send="true" href="http://jboss.org" class="">jboss.org</a>
          Development Team
        </div>
        <br class="">
        <div>
          <blockquote type="cite" class="">
            <div class="">On Jan 21, 2016, at 3:22 PM, Bill Burke &lt;<a
                moz-do-not-send="true" href="mailto:bburke@redhat.com"
                class=""><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a>&gt; wrote:</div>
            <br class="Apple-interchange-newline">
            <div class="">
              <meta content="text/html; charset=utf-8"
                http-equiv="Content-Type" class="">
              <div bgcolor="#FFFFFF" text="#000000" class=""> Yeah, I
                did that in 1.6....But <a moz-do-not-send="true"
                  href="http://jboss.org" class="">jboss.org</a> team
                didn't like it for performance reasons.<br class="">
                <br class="">
                <div class="moz-cite-prefix">On 1/20/2016 8:50 PM, Scott
                  Rossillo wrote:<br class="">
                </div>
                <blockquote
cite="mid:CALAqdu8E7_jboPF6KdDj5b0wM5gkraWWANS2YvJ4KPjwqxRi_g@mail.gmail.com"
                  type="cite" class="">There's s pattern to handle the
                  back button during flows. It's that a post should
                  never render a view but redirect (HTTP get) to the
                  failure or success view. <br class="">
                  <br class="">
                  <a moz-do-not-send="true"
href="http://www.codeproject.com/Tips/433399/PRG-Pattern-Post-Redirect-Get"
                    class="">http://www.codeproject.com/Tips/433399/PRG-Pattern-Post-Redirect-Get</a><br
                    class="">
                  <div class="gmail_quote">
                    <div dir="ltr" class="">On Wed, Jan 20, 2016 at 7:22
                      PM Bill Burke &lt;<a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:bburke@redhat.com">bburke@redhat.com</a>&gt;

                      wrote:<br class="">
                    </div>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000" class=""> <br
                          class="">
                        <br class="">
                        <div class="">On 1/20/2016 3:49 PM, Stian
                          Thorgersen wrote:<br class="">
                        </div>
                        <blockquote type="cite" class="">
                          <p dir="ltr" class="">One additional thought.
                            Maybe we could add a field to autheticators
                            to say if they support back, cancel or
                            nothing. Then the flow would allow going
                            back if previous supports back. It would
                            allow cancel if all supports it, or nothing
                            is one says nothing</p>
                          <div class="gmail_quote">On 20 Jan 2016 19:48,
                            "Stian Thorgersen" &lt;<a
                              moz-do-not-send="true"
                              href="mailto:sthorger@redhat.com"
                              target="_blank" class=""><a class="moz-txt-link-abbreviated" href="mailto:sthorger@redhat.com">sthorger@redhat.com</a></a>&gt;


                            wrote:<br type="attribution" class="">
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              <div dir="ltr" class="">Firstly, let's
                                drop KEYCLOAK-2325 from 1.8 and see if
                                we can fix it for 1.9.
                                <div class=""><br class="">
                                </div>
                                <div class="">Secondly, the back button
                                  should not navigate backwards in the
                                  flow. Also, the refresh button should
                                  just redisplay the page as it does now
                                  (ignoring the post). A couple ideas to
                                  improve things though:</div>
                                <div class=""><br class="">
                                </div>
                                <div class="">1) Set cache-control to
                                  "Cache-Control: no-store,
                                  must-revalidate, max-age=0". This
                                  should force a reload of the page when
                                  the user clicks the back button</div>
                              </div>
                            </blockquote>
                          </div>
                        </blockquote>
                        <br class="">
                      </div>
                      <div bgcolor="#FFFFFF" text="#000000" class="">
                        Really?  That's cool then, this will basically
                        "disable" the back button :)  I'll try it out.</div>
                    </blockquote>
                  </div>
                </blockquote>
              </div>
            </div>
          </blockquote>
          <div><br class="">
          </div>
          <div>
            <div class="">It doesn’t disable the back button. The
              browser just don’t use internal browser cache when the URL
              is visited either by refresh button or back button.</div>
          </div>
          <br class="">
          <blockquote type="cite" class="">
            <div class="">
              <div bgcolor="#FFFFFF" text="#000000" class="">
                <blockquote
cite="mid:CALAqdu8E7_jboPF6KdDj5b0wM5gkraWWANS2YvJ4KPjwqxRi_g@mail.gmail.com"
                  type="cite" class="">
                  <div class="gmail_quote">
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000" class=""><br
                          class="">
                        <br class="">
                        <blockquote type="cite" class="">
                          <div class="gmail_quote">
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              <div dir="ltr" class="">
                                <div class="">2) Can we add a back link
                                  to some steps in the flow?</div>
                                <div class="">3) Can we add a cancel
                                  link to some steps in the flow?</div>
                              </div>
                            </blockquote>
                          </div>
                        </blockquote>
                        <br class="">
                      </div>
                      <div bgcolor="#FFFFFF" text="#000000" class="">
                        You can reset the flow to the beginning, but
                        can't go back one step.</div>
                    </blockquote>
                  </div>
                </blockquote>
              </div>
            </div>
          </blockquote>
          <div><br class="">
          </div>
          <div>From UX perspective back button on webpage needs to
            behave exactly same as back button in browser.</div>
          <div><br class="">
          </div>
          <div>Cancel is very confusing for me. For example on “Forgot
            password” is cancel button - what is purpose of it? what
            happen when I click on it? Where I would be redirected? I
            personally removed those cancel buttons from our theme
            because it’s not clear why they’re there.</div>
          <br class="">
          <blockquote type="cite" class="">
            <div class="">
              <div bgcolor="#FFFFFF" text="#000000" class="">
                <blockquote
cite="mid:CALAqdu8E7_jboPF6KdDj5b0wM5gkraWWANS2YvJ4KPjwqxRi_g@mail.gmail.com"
                  type="cite" class="">
                  <div class="gmail_quote">
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000" class=""><br
                          class="">
                        <br class="">
                        <pre cols="72" class="">-- 
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" href="http://bill.burkecentral.com/" target="_blank" class="">http://bill.burkecentral.com</a></pre>
                      </div>
                      _______________________________________________<br
                        class="">
                      keycloak-dev mailing list<br class="">
                      <a moz-do-not-send="true"
                        href="mailto:keycloak-dev@lists.jboss.org"
                        target="_blank" class="">keycloak-dev@lists.jboss.org</a><br
                        class="">
                      <a moz-do-not-send="true"
                        href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
                        rel="noreferrer" target="_blank" class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
                  </div>
                </blockquote>
                <br class="">
                <pre class="moz-signature" cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bill.burkecentral.com/">http://bill.burkecentral.com</a></pre>
              </div>
              _______________________________________________<br
                class="">
              keycloak-dev mailing list<br class="">
              <a moz-do-not-send="true"
                href="mailto:keycloak-dev@lists.jboss.org" class="">keycloak-dev@lists.jboss.org</a><br
                class="">
              <a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></div>
          </blockquote>
        </div>
        <br class="">
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
  </body>
</html>