Currently it fails on returning to the client application. Ideally what they'd want is
that it should work, and the authentication be completed in the client app and they are
logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't
supported.
The problem is that the login page is easily bookmarkable. People aren't bookmarking
our client application page, because as soon as they go there they are unauthenticated and
so get immediately redirected to keycloak. The first page of our client application
effectively becomes the keycloak login page with all the query string auth crud that OIDC
adds on, so it's natural that users would bookmark this page to get back to from their
favourites.
I wonder if the best we can do in this situation is perhaps:
1) enable POST, so that the client app can POST the OIDC request and include the OIDC auth
parameters as post body parameters
2) allow a default url to be set in the realm (or a default client?)
3) allow keycloak to redirect to the default url/client if it receives a GET request on
the realm auth endpoint without the required parameters
Something like this would allow us to configure keycloak to redirect clients that have
bookmarked the url to our main app for the realm to start the OIDC process off and be
redirected back to keycloak with all the OIDC auth params for a login attempt.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Stan Silvert
Sent: Tuesday, 22 August 2017 8:56 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Bookmarking keycloak login pages
What do they want to happen after they log in?
On 8/21/2017 10:47 PM, Matt Evans wrote:
We have people that have bookmarked the login page of keycloak so
that they can return there and authenticate, rather than go to the client app page and be
redirected.
This doesn't work because the bookmark they have contains time sensitive information,
e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to
the application it fails.
Is there anything that can be done for this situation? I thought perhaps including the
information as post body parameters and doing a post rather than redirecting with query
string parameters, but this doesn't work, POST is not an accepted http method. Also I
assume that returning there from a bookmark won't work either because that post body
information will be missing...
Matt
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user