I think a) is ok, but not the ideal.

b) however is problematic IMO. In the case of required actions, why not just display the next required action associated with the user? That would be the equivalent of a.

There's also another bug related to this which is that if you try to change the language on a page in the middle of the auth flow it blows up.

On 14 October 2015 at 18:58, Bill Burke <bburke@redhat.com> wrote:
I've been looking into a couple of "browser refresh" bugs.  Currently,
if an HTTP request to the auth flow spi did not match the state of the
client session you would

a) have the flow reset if you were currently in the process of
authenticating
b) Show an error screen if you aren't currently authenticating (i.e.
performing required actions)

Now I remember why I did it this way.  It is impossible to detect the
difference between a browser refresh and somebody hitting the back
button and resubmitting a previous form.  Hitting "browser refresh" will
resubmit any previous form POST.  So, you have no idea if the user is
refreshing the current page or resubmitting after a browser back button.

So, I think it is best to keep things the way it is now.  Thoughts?


--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev