Re: [keycloak-user] Login timeout
Bill,
Thanks for your answer. While I understand what happens in the
background, I still have some concerns about the user experience of this
process. More inline.
On 07/16/2015 12:07 AM, Bill Burke wrote:
Yeah, we are fixing timeouts a little. There are 2 timeouts:
Timeout
of a login action. This happens if you take too long in the login
process. In this case the login session is still active in memory.
What we'll do is just redirect the user to the login screen to start
over and give them this error message. "You took too long to login.
Please restart login process.".
For this timeout, I don't see a reason why it can't just start a fresh
login session and perform the login with the provided credentials. I'm
with the basic scenario in mind, and I realize that this might not
*always* be possible, but the server should know which scenarios are
possible and which aren't, right? From the user's perspective, I can't
understand why my credentials weren't accepted on the first time, but
accepted on the second time, a couple of seconds later.
Next one is timeout of the session. When this happens, we have no
information on how to complete the login. Information like the SAML
Request or OIDC query parameters. In this case we will be redirecting
back to the client. Client will choose whether to restart
authentication over or not.
This seems trickier, but similar to the above: the server knows (based
on the realm) if just starting a new session is enough, no?
I'm not sure we can fix this. If there is a session timeout, we
have no
information on how to complete the authentication as this information
has been wiped out. So the only option is to redirect back to the
client in this situation.
Actually, the user is *not* redirected back to the original application.
Entering the login/password again will just do the right thing: the user
will be logged in, and then redirected back to the original application.
- Juca.