1:47 p.m.
Hi,
when user successfully logs in (either after registration or login) then hitting back
button shows KC page (login/registration) again.
This looks to be a bug to me because user is logged in and should be allowed to do only
logout. No login or registration.
I tried how google.com <http://google.com/> behaves and when you successfully logs
in then hitting back button is handled correctly - their sso realize that you’re logged in
and then user is redirected to requested page. No login page.
I think KC should follow same behavior.
Jira for login flow: https://issues.jboss.org/browse/KEYCLOAK-2768
<https://issues.jboss.org/browse/KEYCLOAK-2768>
Jira for reg. flow: https://issues.jboss.org/browse/KEYCLOAK-2740
<https://issues.jboss.org/browse/KEYCLOAK-2740>
Thanks,
Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering
3:31 p.m.
I agree it should either show a page is no longer valid message or redirect
back to origin as you're suggesting. The latter is the best, but we need to
be able to identify that's actually what should be done. I tried with
Google and it actually didn't work for me, it showed me the password page
again.
On 7 April 2016 at 13:47, Libor Krzyzanek <lkrzyzan(a)redhat.com> wrote:
Hi,
when user successfully logs in (either after registration or login) then
hitting back button shows KC page (login/registration) again.
This looks to be a bug to me because user is logged in and should be
allowed to do only logout. No login or registration.
I tried how google.com behaves and when you successfully logs in then
hitting back button is handled correctly - their sso realize that you’re
logged in and then user is redirected to requested page. No login page.
I think KC should follow same behavior.
Jira for login flow: https://issues.jboss.org/browse/KEYCLOAK-2768
Jira for reg. flow: https://issues.jboss.org/browse/KEYCLOAK-2740
Thanks,
Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:59 a.m.
Thanks Stian for getting my point.
Here is screencast how google works for me:
https://dl.dropboxusercontent.com/u/40512422/devel/keycloak/google-login-...
<https://dl.dropboxusercontent.com/u/40512422/devel/keycloak/google-login-...
Let me describe these things from really “end user” perspective.
If I’m trying to feel like a really “end-user” the only thing that Login Server is
responsible for is provide me a way (registration or login) to give me access to let’s
call it “secured content".
I don’t care about login server. I care about the secured content.
If I’m successfully logged in and SSO session exists I should not see any “no longer
valid” message because it’s not true. I’m logged in so everything is OK and I didn’t make
any mistake. I successfully logs in and should get the “secured content”.
In case the login server would give me “page is no longer valid” brings to my mind
something like “I was logged out” or “I did something wrong” or “I need to do something
again like do login again".
Thanks,
Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering
On Apr 7, 2016, at 3:31 PM, Stian Thorgersen
<sthorger(a)redhat.com> wrote:
I agree it should either show a page is no longer valid message or redirect back to
origin as you're suggesting. The latter is the best, but we need to be able to
identify that's actually what should be done. I tried with Google and it actually
didn't work for me, it showed me the password page again.
On 7 April 2016 at 13:47, Libor Krzyzanek <lkrzyzan(a)redhat.com
<mailto:lkrzyzan@redhat.com>> wrote:
Hi,
when user successfully logs in (either after registration or login) then hitting back
button shows KC page (login/registration) again.
This looks to be a bug to me because user is logged in and should be allowed to do only
logout. No login or registration.
I tried how google.com <http://google.com/> behaves and when you successfully logs
in then hitting back button is handled correctly - their sso realize that you’re logged in
and then user is redirected to requested page. No login page.
I think KC should follow same behavior.
Jira for login flow: https://issues.jboss.org/browse/KEYCLOAK-2768
<https://issues.jboss.org/browse/KEYCLOAK-2768>
Jira for reg. flow: https://issues.jboss.org/browse/KEYCLOAK-2740
<https://issues.jboss.org/browse/KEYCLOAK-2740>
Thanks,
Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
6:55 a.m.
I agree with you on usability. If possible just re-direct back is is the
best, but not sure if that's possible especially considering custom
authenticators. If I click back button and displayed a "form no longer
valid" page I'd at least assume that I'm not allowed to resubmit the form,
so I thought that could be a compromise.
I don't actually get that behavior and Google shows me the password page
again when I click the back button. Maybe it's because I've got totp
enabled, but it's strange that it displays password page, not totp page
(which was the last page on login flow).
On 8 April 2016 at 09:59, Libor Krzyzanek <lkrzyzan(a)redhat.com> wrote:
Thanks Stian for getting my point.
Here is screencast how google works for me:
https://dl.dropboxusercontent.com/u/40512422/devel/keycloak/google-login-...
Let me describe these things from really “end user” perspective.
If I’m trying to feel like a really “end-user” the only thing that Login
Server is responsible for is provide me a way (registration or login) to
give me access to let’s call it “secured content".
I don’t care about login server. I care about the secured content.
If I’m successfully logged in and SSO session exists I should not see any
“no longer valid” message because it’s not true. I’m logged in so
everything is OK and I didn’t make any mistake. I successfully logs in and
should get the “secured content”.
In case the login server would give me “page is no longer valid” brings to
my mind something like “I was logged out” or “I did something wrong” or “I
need to do something again like do login again".
Thanks,
Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering
On Apr 7, 2016, at 3:31 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I agree it should either show a page is no longer valid message or
redirect back to origin as you're suggesting. The latter is the best, but
we need to be able to identify that's actually what should be done. I tried
with Google and it actually didn't work for me, it showed me the password
page again.
On 7 April 2016 at 13:47, Libor Krzyzanek <lkrzyzan(a)redhat.com> wrote:
> Hi,
> when user successfully logs in (either after registration or login) then
> hitting back button shows KC page (login/registration) again.
>
> This looks to be a bug to me because user is logged in and should be
> allowed to do only logout. No login or registration.
>
> I tried how google.com behaves and when you successfully logs in then
> hitting back button is handled correctly - their sso realize that you’re
> logged in and then user is redirected to requested page. No login page.
>
> I think KC should follow same behavior.
>
> Jira for login flow: https://issues.jboss.org/browse/KEYCLOAK-2768
> Jira for reg. flow: https://issues.jboss.org/browse/KEYCLOAK-2740
>
> Thanks,
>
> Libor Krzyžanek
> Principal Software Engineer
> Red Hat Developers | Engineering
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
2938
days inactive
2942
days old
3 comments
2 participants
participants (2)
-
Libor Krzyzanek -
Stian Thorgersen