<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Just checked how Facebook works. If you
login and then press "back" button on consent screen, they also
just redisplay this screen. The thing is, that with this behaviour
when you press "back" button 10 times, you're still on the same
page. Doesn't seem to be a way to go through browser history back
to the application or even earlier. <br>
<br>
Not sure if this is a problem or not. I am personally almost don't
use back-button (especially on stateful sites where I am logged)
as many sites are broken and I never know what the back button
will do <span class="moz-smiley-s3"><span> ;-) </span></span><br>
<br>
Marek<br>
<br>
On 27/01/16 15:20, Bill Burke wrote:<br>
</div>
<blockquote cite="mid:56A8D231.1000002@redhat.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Lol, we used to have "back to app" button, removed it. we still
have a cancel button on OTP page, this just restarts the flow.
IMO, if users want a "back to app" button, they should just add it
themselves.<br>
<br>
<div class="moz-cite-prefix">On 1/27/2016 3:58 AM, Stian
Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAcKYKcbC3J16EJzYZMs-nyFuYhgi-sDjor2ns-Mb5+0eg@mail.gmail.com"
type="cite">
<div dir="ltr">The back button should just re-display the
current page. Then there should be separate link/button on the
page to go back to the application (as long as base url is set
on client this should always be available, even if client
session has timed out). I think we should also consider having
a button/link to restart the flow.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 January 2016 at 09:55, Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">The action key was introduced in the whole
days when we didn't have any state on the server that
was aware where the flow was. Now that we have a clear
state on the server that is fully aware of where in a
flow a user is it shouldn't be required any more, and as
long as the flow manager puts it in the correct state
there's nothing that a user can do to try to jump
back/forward in the flow.</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 January 2016 at
08:11, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:mposolda@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">+1 to restart the flow
entirely when back button is pressed in any
stage<br>
(either authenticator or required actions
screen). Or maybe even drop<br>
the ClientSession entirely and redirect back to
the application?<br>
<br>
Once we use this "must-revalidate" header, I
hope we can detect that<br>
request was triggered by back button. Maybe we
will need to maintain all<br>
previously used action keys on
ClientSessionModel, so we are clearly<br>
able to detect that request was triggered by
back button?<br>
<br>
Note that I am not usability expert and I am not
sure what is best<br>
practice regarding back button and usability.
But redirect back to the<br>
application looks like most clear way to me.<br>
<span><font color="#888888"><br>
Marek<br>
</font></span><span><br>
On 26/01/16 23:36, Bill Burke wrote:<br>
> The current thinking for browser back
button is to set:<br>
><br>
> Cache-Control: no-store, must-revalidate,
max-age=0<br>
><br>
> There are possible security issues with
this that I don't know if we<br>
> should do this or not. Don't know if you
remember how ClientSessionCode<br>
> works, it uses a hash of the client
session id and the action key<br>
> currently stored in the. When you switch
from authentication to<br>
> required actions, the action key
changes. Now, if you hit the back<br>
> button on a required action page, it
would take you back to an<br>
> authentication screen. The code check
would fail because the action<br>
> keys don't match.<br>
><br>
> Do we actually need this action key
stuff? Can we just let the flow<br>
> manager put the browser in the correct
state? So if an "authenticate"<br>
> url is hit and the flow is on required
actions, just redirect to the<br>
> required actions URL. I just worry that
this is some sort of security<br>
> hole somehow. Maybe we're better off
just reseting and restarting the<br>
> flow entirely.<br>
><br>
<br>
</span>
<div>
<div>_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</blockquote>
<br>
</body>
</html>