Hi,
look at
https://issues.jboss.org/browse/ORG-2774 to see why correct
handling of Back button is necessary ;-)
Please note that this concrete issue is against Keycloak 1.6, I'm going
to retest it against KC 1.8 and 1.9 to see if it is resolved or not, but
it shows how common users behave and what they expect.
I believe that in common flows Back button should work as expected by
users, not to break common user experience. Simply send user one screen
back and allow him to correctly perform other actions provided on this
page. I understand that there may be some flow when this is not possible
and a bit different behaviour may be used, but these exceptions must be
carefully considered, not implemented as common rules for all actions.
The bug report also shows that clear Error pages/messages should be
provided to the users and reasonable action should be provided them to
recover from error state if possible.
Vlastimil
On 26.1.2016 23:36, Bill Burke wrote:
The current thinking for browser back button is to set:
Cache-Control: no-store, must-revalidate, max-age=0
There are possible security issues with this that I don't know if we
should do this or not. Don't know if you remember how ClientSessionCode
works, it uses a hash of the client session id and the action key
currently stored in the. When you switch from authentication to
required actions, the action key changes. Now, if you hit the back
button on a required action page, it would take you back to an
authentication screen. The code check would fail because the action
keys don't match.
Do we actually need this action key stuff? Can we just let the flow
manager put the browser in the correct state? So if an "authenticate"
url is hit and the flow is on required actions, just redirect to the
required actions URL. I just worry that this is some sort of security
hole somehow. Maybe we're better off just reseting and restarting the
flow entirely.
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team