[keycloak-user] Login timeout

Juraci Paixão Kröhling juraci at kroehling.de
Thu Jul 16 11:04:18 EDT 2015


Thanks for your answer. While I understand what happens in the 
background, I still have some concerns about the user experience of this 
process. More inline.

On 07/16/2015 12:07 AM, Bill Burke wrote:
> Yeah, we are fixing timeouts a little.  There are 2 timeouts:  Timeout
> of a login action.  This happens if you take too long in the login
> process.  In this case the login session is still active in memory.
> What we'll do is just redirect the user to the login screen to start
> over and give them this error message.  "You took too long to login.
> Please restart login process.".

For this timeout, I don't see a reason why it can't just start a fresh 
login session and perform the login with the provided credentials. I'm 
with the basic scenario in mind, and I realize that this might not 
*always* be possible, but the server should know which scenarios are 
possible and which aren't, right? From the user's perspective, I can't 
understand why my credentials weren't accepted on the first time, but 
accepted on the second time, a couple of seconds later.

> Next one is timeout of the session.  When this happens, we have no
> information on how to complete the login.  Information like the SAML
> Request or OIDC query parameters.  In this case we will be redirecting
> back to the client.  Client will choose whether to restart
> authentication over or not.

This seems trickier, but similar to the above: the server knows (based 
on the realm) if just starting a new session is enough, no?

> I'm not sure we can fix this.  If there is a session timeout, we have no
> information on how to complete the authentication as this information
> has been wiped out.  So the only option is to redirect back to the
> client in this situation.

Actually, the user is *not* redirected back to the original application. 
Entering the login/password again will just do the right thing: the user 
will be logged in, and then redirected back to the original application.

- Juca.

More information about the keycloak-user mailing list