[keycloak-user] What is the point of the cancel button on the log-in screen?

Fri Oct 17 11:33:57 EDT 2014

Since the goal of the Cancel button is to go back, how about presenting a “Back to application” link instead of a Cancel button? If that’s the only purpose of the button, a explicit label is better.

Gabriel

On Oct 10, 2014, at 9:18 AM, Stian Thorgersen <stian at redhat.com> wrote:

> 
> 
> ----- Original Message -----
>> From: "Stan Silvert" <ssilvert at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Friday, 10 October, 2014 2:08:27 PM
>> Subject: Re: [keycloak-user] What is the point of the cancel button on the log-in screen?
>> 
>> On 10/10/2014 7:48 AM, Stian Thorgersen wrote:
>>> It's required, so don't remove.
>>> 
>>> If we don't have a cancel button there's no way for users to go back to the
>>> application if they don't want to login (or can't for some reason). Also,
>>> there are other situations where a login can fail, in which an error query
>>> param is returned to application instead of a code. For example oauth
>>> client grant page (a user can accept or reject giving the client the
>>> required permissions), etc.. The adapters needs to be able to handle these
>>> properly. IMO if login is cancelled there's two basic use-cases:
>>> 
>>> * User clicked on log in link - in this case application should just return
>>> to the initial page
>> This I agree with.  Ideally, that's what the cancel button should always do.
>>> * User clicked on a page that requires login - in this case the application
>>> should probably show a 'unauthorized access' page which needs to be
>>> customizable by the application
>> In this case we should not have a button labeled "cancel".  The user
>> expects a cancel button to go back.  So we shouldn't have a button that
>> we know will yield unexpected results.
>> 
>> Perhaps we should have a help button instead that provides a friendly
>> message about what is going on.
> 
> I think we still should have a cancel button by default. The user may still want to go back to other parts of the app that doesn't require authentication.
> 
> Also, as I mentioned there are other situations that results in similar errors that an application has to handle. Do we just throw an exception, and let the standard war error handling take care of it? Either case we should add something like it to our demo. 
> 
> We could add an option to hide the cancel button though. Could for example add an optional query param "no_cancel".
> 
>>> 
>>> ----- Original Message -----
>>>> From: "Stan Silvert" <ssilvert at redhat.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Friday, 10 October, 2014 1:40:12 PM
>>>> Subject: Re: [keycloak-user] What is the point of the cancel button on the
>>>> log-in screen?
>>>> 
>>>> Does the cancel button EVER work properly?
>>>> 
>>>> I'm starting to side with Alarik.  In any situation where we know the
>>>> cancel button won't work, we need to either fix it or remove it.
>>>> 
>>>> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
>>>>> The back button still submits the form, but the instead of processing the
>>>>> login redirects with error set. So it's already not an open redirect.
>>>>> 
>>>>> We should fix the adapter to show a error page though. Another thing is
>>>>> that the adapter needs some way of customising error pages.
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 9 October, 2014 7:02:18 PM
>>>>>> Subject: Re: [keycloak-user] What is the point of the cancel button on
>>>>>> the
>>>>>> log-in screen?
>>>>>> 
>>>>>> We would have to rememer referrer information somehow via the adapter to
>>>>>> know where to redirect to.  This cancel redirection URL would be an
>>>>>> extension to OIDC I think and would require to be validated so that we
>>>>>> don't create an open redirector security vulnerabilities.  Maybe we
>>>>>> should we just show a Keycloak rendered error page?
>>>>>> 
>>>>>> 
>>>>>> On 10/9/2014 12:46 PM, Stan Silvert wrote:
>>>>>>> I guess I'm stating the obvious, but the cancel button should take you
>>>>>>> back to where you were before being challenged by the login screen.  To
>>>>>>> the extent that is possible, the cancel button should stay.  We should
>>>>>>> never rely on the back button.
>>>>>>> 
>>>>>>> I just tried it on our demo and recreated the 400 error.  We should fix
>>>>>>> this if possible.
>>>>>>> 
>>>>>>> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
>>>>>>>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
>>>>>>>> -- Bad Request on your protected resource, and doing something more
>>>>>>>> graceful would take some thinking.
>>>>>>>> 
>>>>>>>> It's not clear to me what *should* happen when clicking cancel.  Users
>>>>>>>> in a browser have a back button, or a button to close the tab, and
>>>>>>>> they can always use that to get out of the login screen.
>>>>>>>> 
>>>>>>>> Maybe the cancel button should just be removed?
>>>>>>>> 
>>>>>>>> Alarik
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>> 
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

---
Gabriel Cardoso
User Experience Designer @ Red Hat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141017/8ee83417/attachment.html 