<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 28 January 2016 at 15:47, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">PR is building...<br>
<br>
Browser back button will now either restart the flow (and create a new<br>
client session) or not allow you off your current page depending on the<br>
protocol and where you are in the flow.<br>
<br>
* If your protocol is initiated by a GET request and the back button<br>
brings you to the 1st rendered page (username/password) this starts a<br>
new flow<br>
* If your protocol is initiated by a POST request (SAML Post binding)<br>
things work a bit differently. This initial post request will redirect<br>
you to the "authenticate" URL. Then if your back button brings you to<br>
the username/password page, you will not see it and just stay on your<br>
current page.<br>
* If your back button click brings you to the 2nd page in the flow, you<br>
will just be stuck on your current page.<br>
<br>
Try it out. Hopefully all these refresh and back button issues are done<br>
now.<br>
<br>
Some changes to make this happen:<br>
* The "code" in the URL o the flow used to be generated by hashing the<br>
current action key, the current action (AUTHENTICATE, REQUIRE_ACTION),<br>
and the realm secret key. The action key changed whenever you changed<br>
the current action...NOW the action key does NOT change for the whole<br>
flow. The action key is automatically generated once when you create<br>
the ClientSession and never changed again.<br></blockquote><div><br></div><div>Is the action key even needed then?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Consent page no longer changes the current action to OAUTH_GRANT.<br>
Consent page is now considered a REQUIRED_ACTION action and treated as<br>
such. This was to support back button here too.<br>
* Cache-Control: no-store, must-revalidate, max-age=0 is now set in the<br>
response for every endpoint on LoginActionsService and any protocol<br>
entry point.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</font></span></blockquote></div><br></div></div>