I'm changing browse refresh behavior again.
I've removed all the extra redirects, so now, you can end up being on
the OTP page, but the URL is the one posted to by password page. Refresh
page will repost the password, keycloak will see that the current action
is not the same, and just ask the flow to put the browser in the right
state. Similarly with required actions.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com