[keycloak-user] Bookmarking keycloak login pages

Phillip Fleischer pcfleischer at outlook.com
Thu Aug 24 19:38:42 EDT 2017 

We’ve been working around a lot of usability issues lately with the javascript adapter and the state callback and nonce.

It seems like the library is designed around the assumption that the client always initiates the authorization request which seems like a good idea but in practice there’s a decent number of use cases where external applications will initiate an authentication (including bookmarks).

We’re looking at adding a handler before the keycloak initialization to extend the adapter to ignore state and none.  I know, not super secure, but we tried using the “check-sso” initialization method as a workaround as well but the iframe session check was too overly complicated than just handling the code and overriding the needless security.  Holding back flasbacks of saml 1.0 with nonce and body hash...


> On Aug 24, 2017, at 8:00 AM, Stan Silvert <ssilvert at redhat.com> wrote:
> 
> Thanks.  That's very useful information.  I had no idea that a usability 
> problem like that even existed.  It does make sense though.
> 
> Have you tried putting a message on the login page to say, "Don't 
> bookmark this", or do you mean you've just tried to get the word out 
> another way?
> 
> It might be possible to put a button on the login page that lets the 
> user bookmark the target application.  We could even add this as a 
> feature of Keycloak if this is a common usability problem. But from my 
> initial research of the subject, doing so can be a little tricky for 
> some browsers.
> 
> On 8/23/2017 11:01 PM, Matt Evans wrote:
>> Sorry, I'm probably not explaining it clearly enough!
>> 
>> We have end users that have followed these steps, assuming app.example.com is our app and idp.example.com is keycloak:
>> 
>> 1) User opens browser to app.example.com
>> 2) app.example.com detects that they are unauthenticated and redirects them to idp.example.com with the appropriate oidc parameters
>> 3) idp.example.com keycloak shows the login page, user bookmarks this page so they can return to it later
>> 4) user logs in and is redirected back to app.example.com
>> 5) later they re-open their browser and go to the bookmark, which takes them directly to keycloak login page with the previous oidc parameters
>> 
>> This seems to be what a lot of our users are doing, and telling them to bookmark app.example.com, or the page at app.example.com that they return to after logging in via keycloak doesn't help
>> 
>> Matt
>> 
>> 
>> -----Original Message-----
>> From: Stan Silvert [mailto:ssilvert at redhat.com]
>> Sent: Wednesday, 23 August 2017 10:10 PM
>> To: Matt Evans <mevans at aconex.com>; keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Bookmarking keycloak login pages
>> 
>> I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated".
>> 
>> The usual procedure is to log in and then set the bookmark to the main page of the application.  If that main page URL has "auth crud" in it then something is wrong.  They should not bookmark the login page.  They bookmark the page presented after login.
>> 
>> Then if you use the bookmark it will go straight to the application if you are already logged in.  If you are not logged in it presents the login page.
>> 
>> 
>> On 8/22/2017 9:03 PM, Matt Evans wrote:
>>> Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported.
>>> 
>>> The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites.
>>> 
>>> I wonder if the best we can do in this situation is perhaps:
>>> 
>>> 1) enable POST, so that the client app can POST the OIDC request and
>>> include the OIDC auth parameters as post body parameters
>>> 2) allow a default url to be set in the realm (or a default client?)
>>> 3) allow keycloak to redirect to the default url/client if it receives
>>> a GET request on the realm auth endpoint without the required
>>> parameters
>>> 
>>> Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt.
>>> 
>>> -----Original Message-----
>>> From: keycloak-user-bounces at lists.jboss.org
>>> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan
>>> Silvert
>>> Sent: Tuesday, 22 August 2017 8:56 PM
>>> To: keycloak-user at lists.jboss.org
>>> Subject: Re: [keycloak-user] Bookmarking keycloak login pages
>>> 
>>> What do they want to happen after they log in?
>>> 
>>> On 8/21/2017 10:47 PM, Matt Evans wrote:
>>>> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected.
>>>> 
>>>> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails.
>>>> 
>>>> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing...
>>>> 
>>>> Matt
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list