11:58 a.m.
I've been looking into a couple of "browser refresh" bugs. Currently,
if an HTTP request to the auth flow spi did not match the state of the
client session you would
a) have the flow reset if you were currently in the process of
authenticating
b) Show an error screen if you aren't currently authenticating (i.e.
performing required actions)
Now I remember why I did it this way. It is impossible to detect the
difference between a browser refresh and somebody hitting the back
button and resubmitting a previous form. Hitting "browser refresh" will
resubmit any previous form POST. So, you have no idea if the user is
refreshing the current page or resubmitting after a browser back button.
So, I think it is best to keep things the way it is now. Thoughts?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
12:20 p.m.
I think a) is ok, but not the ideal.
b) however is problematic IMO. In the case of required actions, why not
just display the next required action associated with the user? That would
be the equivalent of a.
There's also another bug related to this which is that if you try to change
the language on a page in the middle of the auth flow it blows up.
On 14 October 2015 at 18:58, Bill Burke <bburke(a)redhat.com> wrote:
I've been looking into a couple of "browser refresh"
bugs. Currently,
if an HTTP request to the auth flow spi did not match the state of the
client session you would
a) have the flow reset if you were currently in the process of
authenticating
b) Show an error screen if you aren't currently authenticating (i.e.
performing required actions)
Now I remember why I did it this way. It is impossible to detect the
difference between a browser refresh and somebody hitting the back
button and resubmitting a previous form. Hitting "browser refresh" will
resubmit any previous form POST. So, you have no idea if the user is
refreshing the current page or resubmitting after a browser back button.
So, I think it is best to keep things the way it is now. Thoughts?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:20 a.m.
I'm working on a solution for this stuff. For browser flows I'm going
to do a 302 redirect after successful posts. I'm also going to do a 302
redirect after authentication and before going into the required-actions
phase. This will get the browser to a "safe" URL that if refresh button
is hit, the flow manager can decide what the correct state is. Back
button will still result in an error screen though.
On 10/14/2015 1:20 PM, Stian Thorgersen wrote:
I think a) is ok, but not the ideal.
b) however is problematic IMO. In the case of required actions, why not
just display the next required action associated with the user? That
would be the equivalent of a.
There's also another bug related to this which is that if you try to
change the language on a page in the middle of the auth flow it blows up.
On 14 October 2015 at 18:58, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
I've been looking into a couple of "browser refresh" bugs. Currently,
if an HTTP request to the auth flow spi did not match the state of the
client session you would
a) have the flow reset if you were currently in the process of
authenticating
b) Show an error screen if you aren't currently authenticating (i.e.
performing required actions)
Now I remember why I did it this way. It is impossible to detect the
difference between a browser refresh and somebody hitting the back
button and resubmitting a previous form. Hitting "browser refresh" will
resubmit any previous form POST. So, you have no idea if the user is
refreshing the current page or resubmitting after a browser back button.
So, I think it is best to keep things the way it is now. Thoughts?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3380
days inactive
3381
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Stian Thorgersen