I'll take another stab at this.
On 11/13/2015 9:02 AM, Bill Burke wrote:
-------- Forwarded Message --------
Subject: [keycloak-dev] changes to browser-based flows
Date: Fri, 16 Oct 2015 10:39:19 -0400
From: Bill Burke <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org <keycloak-dev(a)lists.jboss.org>
FYI: Not important if you are uninterested in design.
Prior to my last commit if you hit the browser refresh button you would
either have had the authentication flow completely reset or received an
error page. Also, changing the local on some required actions pages
would end up in an error condition.
So...To fix this I made some changes to browser based flows:
* After any successful action processing (i.e. a form POST), the browser
is sent a 302 redirect to a "safer" page. If you are in the
authentication phase, then this redirect will be to
/authenticate?code={code}, registration /register?code={code}, reset
credentials /reset-credentials?code={code}, required actions
/required-action?code={code}. When these URIs are executed, Keycloak
will figure out where the user is in the flow and render things
appropriately.
* After authentication, the browser will be 302 redirected to
/required-action?code={code}
The reason for these changes is to support when the user clicks the
browser refresh button. The refresh button will resubmit the previous
request. Prior to this change there were issues with this. For
example, previously, if there was a required action and you just logged
in via username and password, the URI in the browser would still point
to the username/password page even though the required action page was
being rendered. If the refresh button was hit, the previous username
password POST would be resent to the username/password page, Keycloak
would say "WTF are you doing?!?" and abort. There were similar issues
like this everywhere.
Other things effected by this fix:
* required actions no longer change the ACTION_KEY or the
ClientSessionModel.getAction().
* ClientSessionModel.getAction() will either be AUTHENTICATION,
REQUIRED_ACTIONS, EXECUTE_ACTIONS, LOGGED_OUT, or OAUTH_GRANT.
* After authentication, the flow manager will change the action from
AUTHENTICATION to REQUIRED_ACTIONS.
Overall, this is less performant as there are additional HTTP redirect
requests being thrown in, but should provide a better user experience.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com