4:05 a.m.
Right now, when user goes to keycloak admin console and he doesn't have
access (any admin roles assigned), he is logged out automatically. It's
done by "whoami" endpoint, which returns 401 in this case.
Shouldn't we instead just display some notification like "Forbidden, you
don't have access" instead of automatically logout user?
My point is links between various admin consoles. For example when user
is logged in hawtio admin console and he click on link to Keycloak admin
console. But when he don't have access, he is logged out automatically,
which does SSO logout and logout him also from hawtio. To me it looks
like bit confusing behaviour tbh.
Also do we have plan to add support for referrer in KC admin console
similarly like account mgmt has?
Marek
4:15 a.m.
New subject: Automatic logout from KC admin console for non-authorized users
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 3 February, 2015 10:05:19 AM
Subject: [keycloak-dev] Automatic logout from KC admin console for non-authorized users
Right now, when user goes to keycloak admin console and he doesn't have
access (any admin roles assigned), he is logged out automatically. It's
done by "whoami" endpoint, which returns 401 in this case.
+1000 Logging-out the user is just plain stupid, cant' believe we do that
Shouldn't we instead just display some notification like "Forbidden, you
don't have access" instead of automatically logout user?
My point is links between various admin consoles. For example when user
is logged in hawtio admin console and he click on link to Keycloak admin
console. But when he don't have access, he is logged out automatically,
which does SSO logout and logout him also from hawtio. To me it looks
like bit confusing behaviour tbh.
Also do we have plan to add support for referrer in KC admin console
similarly like account mgmt has?
I don't think referrer is the correct approach. What about if we add a feature to
Keycloak that lets you retrieve all applications a user has access to (where a user has at
least one role?) and that has a base url configured for it (maybe this should be changed
to default page). Then we can use this information to add an application switcher to all
consoles (like Google has, see attachment). This is probably something we should discuss
with Management .Next guys though ;)
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
4:31 a.m.
On 3.2.2015 10:15, Stian Thorgersen wrote:
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 3 February, 2015 10:05:19 AM
> Subject: [keycloak-dev] Automatic logout from KC admin console for non-authorized
users
>
> Right now, when user goes to keycloak admin console and he doesn't have
> access (any admin roles assigned), he is logged out automatically. It's
> done by "whoami" endpoint, which returns 401 in this case.
+1000 Logging-out the user is just plain stupid, cant' believe we do that
I've created https://issues.jboss.org/browse/KEYCLOAK-1025
> Shouldn't we instead just display some notification like "Forbidden, you
> don't have access" instead of automatically logout user?
>
> My point is links between various admin consoles. For example when user
> is logged in hawtio admin console and he click on link to Keycloak admin
> console. But when he don't have access, he is logged out automatically,
> which does SSO logout and logout him also from hawtio. To me it looks
> like bit confusing behaviour tbh.
>
> Also do we have plan to add support for referrer in KC admin console
> similarly like account mgmt has?
I don't think referrer is the correct approach. What about if we add a feature to
Keycloak that lets you retrieve all applications a user has access to (where a user has at
least one role?) and that has a base url configured for it (maybe this should be changed
to default page). Then we can use this information to add an application switcher to all
consoles (like Google has, see attachment). This is probably something we should discuss
with Management .Next guys though ;)
Looks like great solution from long-term
perspective. It's perhaps
something to discuss with management .next to see if other "product
consoles" are interested in this feature.
Marek
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
6:11 p.m.
On 2/3/2015 4:31 AM, Marek Posolda wrote:
On 3.2.2015 10:15, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 3 February, 2015 10:05:19 AM
>> Subject: [keycloak-dev] Automatic logout from KC admin console for non-authorized
users
>>
>> Right now, when user goes to keycloak admin console and he doesn't have
>> access (any admin roles assigned), he is logged out automatically. It's
>> done by "whoami" endpoint, which returns 401 in this case.
> +1000 Logging-out the user is just plain stupid, cant' believe we do that
I've created https://issues.jboss.org/browse/KEYCLOAK-1025
>> Shouldn't we instead just display some notification like "Forbidden,
you
>> don't have access" instead of automatically logout user?
>>
>> My point is links between various admin consoles. For example when user
>> is logged in hawtio admin console and he click on link to Keycloak admin
>> console. But when he don't have access, he is logged out automatically,
>> which does SSO logout and logout him also from hawtio. To me it looks
>> like bit confusing behaviour tbh.
>>
>> Also do we have plan to add support for referrer in KC admin console
>> similarly like account mgmt has?
> I don't think referrer is the correct approach. What about if we add a feature to
Keycloak that lets you retrieve all applications a user has access to (where a user has at
least one role?) and that has a base url configured for it (maybe this should be changed
to default page). Then we can use this information to add an application switcher to all
consoles (like Google has, see attachment). This is probably something we should discuss
with Management .Next guys though ;)
Looks like great solution from long-term perspective. It's perhaps
something to discuss with management .next to see if other "product
consoles" are interested in this feature.
+1 There definitely is interest.
Marek
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3368
days inactive
3368
days old
3 comments
3 participants
participants (3)
-
Marek Posolda -
Stan Silvert -
Stian Thorgersen