On 28 January 2016 at 15:47, Bill Burke <bburke@redhat.com> wrote:
PR is building...

Browser back button will now either restart the flow (and create a new
client session) or not allow you off your current page depending on the
protocol and where you are in the flow.

* If your protocol is initiated by a GET request and the back button
brings you to the 1st rendered page (username/password) this starts a
new flow
* If your protocol is initiated by a POST request (SAML Post binding)
things work a bit differently.  This initial post request will redirect
you to the "authenticate" URL.  Then if your back button brings you to
the username/password page, you will not see it and just stay on your
current page.
* If your back button click brings you to the 2nd page in the flow, you
will just be stuck on your current page.

Try it out.  Hopefully all these refresh and back button issues are done

Some changes to make this happen:
* The "code" in the URL o the flow used to be generated by hashing the
current action key, the current action (AUTHENTICATE, REQUIRE_ACTION),
and the realm secret key.  The action key changed whenever you changed
the current action...NOW the action key does NOT change for the whole
flow.  The action key is automatically generated once when you create
the ClientSession and never changed again.

Is the action key even needed then?
* Consent page no longer changes the current action to OAUTH_GRANT.
Consent page is now considered a REQUIRED_ACTION action and treated as
such.  This was to support back button here too.
* Cache-Control: no-store, must-revalidate, max-age=0  is now set in the
response for every endpoint on LoginActionsService and any protocol
entry point.

Bill Burke
JBoss, a division of Red Hat

keycloak-dev mailing list