Re: [keycloak-dev] Better support authenticationSessions in multiple browser tabs
On Wed, Nov 29, 2017 at 9:09 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
On 29/11/17 14:44, Stian Thorgersen wrote:
> I would target this to 3.4.2. I don't want to delay the 3.4.1 release
> if we can help it.
>
> I'd also suggest some (short if possible) random key (or a counter?!)
> rather than relying on protocol specific values. 'state' is not
> actually required in OAuth right? It's just recommended.
Yes, it's not required. And same for SAML. Was wondering about the same.
Will use the random key or counter. Thinking if counter doesn't have
some corner case issues (EG. If 2 tabs are opened concurrently after
logout and will try to use same counter value as authSession update from
tab2 won't be yet visible in tab1).
the "state" parameter IS required. Its how the client can figure out
that it initiated the login or not.
I don't understand your solution...BTW, going back to auth_session_id
within the URL instead of a cookie like we used to do would fix this
too :). If you're already going to add a "client-id" query parameter,
why not just revert back to the old way of doing this?
--
Bill Burke
Red Hat