[keycloak-user] What is the point of the cancel button on the log-in screen?

Stian Thorgersen stian at redhat.com
Fri Oct 17 11:46:26 EDT 2014 


----- Original Message -----
> From: "Gabriel Cardoso" <gcardoso at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 17 October, 2014 5:33:57 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the	log-in screen?
> 
> Since the goal of the Cancel button is to go back, how about presenting a
> “Back to application” link instead of a Cancel button? If that’s the only
> purpose of the button, a explicit label is better.

The problem isn't the label, it's what the app does when you return to it

> 
> Gabriel
> 
> On Oct 10, 2014, at 9:18 AM, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Stan Silvert" < ssilvert at redhat.com >
> To: "Stian Thorgersen" < stian at redhat.com >
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 2:08:27 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the
> log-in screen?
> 
> On 10/10/2014 7:48 AM, Stian Thorgersen wrote:
> 
> 
> It's required, so don't remove.
> 
> If we don't have a cancel button there's no way for users to go back to the
> application if they don't want to login (or can't for some reason). Also,
> there are other situations where a login can fail, in which an error query
> param is returned to application instead of a code. For example oauth
> client grant page (a user can accept or reject giving the client the
> required permissions), etc.. The adapters needs to be able to handle these
> properly. IMO if login is cancelled there's two basic use-cases:
> 
> * User clicked on log in link - in this case application should just return
> to the initial page
> This I agree with. Ideally, that's what the cancel button should always do.
> 
> 
> * User clicked on a page that requires login - in this case the application
> should probably show a 'unauthorized access' page which needs to be
> customizable by the application
> In this case we should not have a button labeled "cancel". The user
> expects a cancel button to go back. So we shouldn't have a button that
> we know will yield unexpected results.
> 
> Perhaps we should have a help button instead that provides a friendly
> message about what is going on.
> 
> I think we still should have a cancel button by default. The user may still
> want to go back to other parts of the app that doesn't require
> authentication.
> 
> Also, as I mentioned there are other situations that results in similar
> errors that an application has to handle. Do we just throw an exception, and
> let the standard war error handling take care of it? Either case we should
> add something like it to our demo.
> 
> We could add an option to hide the cancel button though. Could for example
> add an optional query param "no_cancel".
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Stan Silvert" < ssilvert at redhat.com >
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 10 October, 2014 1:40:12 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on the
> log-in screen?
> 
> Does the cancel button EVER work properly?
> 
> I'm starting to side with Alarik. In any situation where we know the
> cancel button won't work, we need to either fix it or remove it.
> 
> On 10/10/2014 3:09 AM, Stian Thorgersen wrote:
> 
> 
> The back button still submits the form, but the instead of processing the
> login redirects with error set. So it's already not an open redirect.
> 
> We should fix the adapter to show a error page though. Another thing is
> that the adapter needs some way of customising error pages.
> 
> ----- Original Message -----
> 
> 
> From: "Bill Burke" < bburke at redhat.com >
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 October, 2014 7:02:18 PM
> Subject: Re: [keycloak-user] What is the point of the cancel button on
> the
> log-in screen?
> 
> We would have to rememer referrer information somehow via the adapter to
> know where to redirect to. This cancel redirection URL would be an
> extension to OIDC I think and would require to be validated so that we
> don't create an open redirector security vulnerabilities. Maybe we
> should we just show a Keycloak rendered error page?
> 
> 
> On 10/9/2014 12:46 PM, Stan Silvert wrote:
> 
> 
> I guess I'm stating the obvious, but the cancel button should take you
> back to where you were before being challenged by the login screen. To
> the extent that is possible, the cancel button should stay. We should
> never rely on the back button.
> 
> I just tried it on our demo and recreated the 400 error. We should fix
> this if possible.
> 
> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
> 
> 
> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
> -- Bad Request on your protected resource, and doing something more
> graceful would take some thinking.
> 
> It's not clear to me what *should* happen when clicking cancel. Users
> in a browser have a back button, or a button to close the tab, and
> they can always use that to get out of the login screen.
> 
> Maybe the cancel button should just be removed?
> 
> Alarik
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> ---
> Gabriel Cardoso
> User Experience Designer @ Red Hat
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list