<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Lol, we used to have "back to app" button, removed it. we still
have a cancel button on OTP page, this just restarts the flow. IMO,
if users want a "back to app" button, they should just add it
themselves.<br>
<br>
<div class="moz-cite-prefix">On 1/27/2016 3:58 AM, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAcKYKcbC3J16EJzYZMs-nyFuYhgi-sDjor2ns-Mb5+0eg@mail.gmail.com"
type="cite">
<div dir="ltr">The back button should just re-display the current
page. Then there should be separate link/button on the page to
go back to the application (as long as base url is set on client
this should always be available, even if client session has
timed out). I think we should also consider having a button/link
to restart the flow.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 January 2016 at 09:55, Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">The action key was introduced in the whole
days when we didn't have any state on the server that was
aware where the flow was. Now that we have a clear state
on the server that is fully aware of where in a flow a
user is it shouldn't be required any more, and as long as
the flow manager puts it in the correct state there's
nothing that a user can do to try to jump back/forward in
the flow.</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 27 January 2016 at 08:11,
Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">+1
to restart the flow entirely when back button is
pressed in any stage<br>
(either authenticator or required actions screen).
Or maybe even drop<br>
the ClientSession entirely and redirect back to
the application?<br>
<br>
Once we use this "must-revalidate" header, I hope
we can detect that<br>
request was triggered by back button. Maybe we
will need to maintain all<br>
previously used action keys on ClientSessionModel,
so we are clearly<br>
able to detect that request was triggered by back
button?<br>
<br>
Note that I am not usability expert and I am not
sure what is best<br>
practice regarding back button and usability. But
redirect back to the<br>
application looks like most clear way to me.<br>
<span><font color="#888888"><br>
Marek<br>
</font></span><span><br>
On 26/01/16 23:36, Bill Burke wrote:<br>
> The current thinking for browser back
button is to set:<br>
><br>
> Cache-Control: no-store, must-revalidate,
max-age=0<br>
><br>
> There are possible security issues with
this that I don't know if we<br>
> should do this or not. Don't know if you
remember how ClientSessionCode<br>
> works, it uses a hash of the client session
id and the action key<br>
> currently stored in the. When you switch
from authentication to<br>
> required actions, the action key changes.
Now, if you hit the back<br>
> button on a required action page, it would
take you back to an<br>
> authentication screen. The code check
would fail because the action<br>
> keys don't match.<br>
><br>
> Do we actually need this action key stuff?
Can we just let the flow<br>
> manager put the browser in the correct
state? So if an "authenticate"<br>
> url is hit and the flow is on required
actions, just redirect to the<br>
> required actions URL. I just worry that
this is some sort of security<br>
> hole somehow. Maybe we're better off just
reseting and restarting the<br>
> flow entirely.<br>
><br>
<br>
</span>
<div>
<div>_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>