[keycloak-user] Bookmarking keycloak login pages

Matt Evans mevans at aconex.com
Tue Aug 22 21:03:25 EDT 2017 

Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported.

The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites.

I wonder if the best we can do in this situation is perhaps:

1) enable POST, so that the client app can POST the OIDC request and include the OIDC auth parameters as post body parameters
2) allow a default url to be set in the realm (or a default client?)
3) allow keycloak to redirect to the default url/client if it receives a GET request on the realm auth endpoint without the required parameters

Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan Silvert
Sent: Tuesday, 22 August 2017 8:56 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Bookmarking keycloak login pages

What do they want to happen after they log in?

On 8/21/2017 10:47 PM, Matt Evans wrote:
> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected.
>
> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails.
>
> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing...
>
> Matt
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list