Hitting the cancel button works. Hitting the cancel button sends you
back to the app, which sends you back to keycloak and starts a new
client session. So that would work fine.
What doesn't work is refreshing the page. Kerberos won't be attempted
again. Would it be ok that any browser page refresh might completely
reset the authentication flow and the user has to re login? If so, I
think I have a solution to the problem, but it would take quite a bit of
refactoring of the auth spi...Not another two months of work :) But
probably another few days or a week.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com