10:01 p.m.
Sorry, I'm probably not explaining it clearly enough!
We have end users that have followed these steps, assuming app.example.com is our app and
idp.example.com is keycloak:
1) User opens browser to app.example.com
2) app.example.com detects that they are unauthenticated and redirects them to
idp.example.com with the appropriate oidc parameters
3) idp.example.com keycloak shows the login page, user bookmarks this page so they can
return to it later
4) user logs in and is redirected back to app.example.com
5) later they re-open their browser and go to the bookmark, which takes them directly to
keycloak login page with the previous oidc parameters
This seems to be what a lot of our users are doing, and telling them to bookmark
app.example.com, or the page at app.example.com that they return to after logging in via
keycloak doesn't help
Matt
-----Original Message-----
From: Stan Silvert [mailto:ssilvert@redhat.com]
Sent: Wednesday, 23 August 2017 10:10 PM
To: Matt Evans <mevans(a)aconex.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Bookmarking keycloak login pages
I don't understand what you are saying about people not bookmarking the client
application page "because as soon as they go there they are unauthenticated".
The usual procedure is to log in and then set the bookmark to the main page of the
application. If that main page URL has "auth crud" in it then something is
wrong. They should not bookmark the login page. They bookmark the page presented after
login.
Then if you use the bookmark it will go straight to the application if you are already
logged in. If you are not logged in it presents the login page.
On 8/22/2017 9:03 PM, Matt Evans wrote:
Currently it fails on returning to the client application. Ideally
what they'd want is that it should work, and the authentication be completed in the
client app and they are logged in. I guess that this is not possible with OIDC as
idp-initiated sso isn't supported.
The problem is that the login page is easily bookmarkable. People aren't bookmarking
our client application page, because as soon as they go there they are unauthenticated and
so get immediately redirected to keycloak. The first page of our client application
effectively becomes the keycloak login page with all the query string auth crud that OIDC
adds on, so it's natural that users would bookmark this page to get back to from their
favourites.
I wonder if the best we can do in this situation is perhaps:
1) enable POST, so that the client app can POST the OIDC request and
include the OIDC auth parameters as post body parameters
2) allow a default url to be set in the realm (or a default client?)
3) allow keycloak to redirect to the default url/client if it receives
a GET request on the realm auth endpoint without the required
parameters
Something like this would allow us to configure keycloak to redirect clients that have
bookmarked the url to our main app for the realm to start the OIDC process off and be
redirected back to keycloak with all the OIDC auth params for a login attempt.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stan
Silvert
Sent: Tuesday, 22 August 2017 8:56 PM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Bookmarking keycloak login pages
What do they want to happen after they log in?
On 8/21/2017 10:47 PM, Matt Evans wrote:
> We have people that have bookmarked the login page of keycloak so that they can
return there and authenticate, rather than go to the client app page and be redirected.
>
> This doesn't work because the bookmark they have contains time sensitive
information, e.g. the nonce and state etc. So they can authenticate correctly, but when
redirected to the application it fails.
>
> Is there anything that can be done for this situation? I thought perhaps including
the information as post body parameters and doing a post rather than redirecting with
query string parameters, but this doesn't work, POST is not an accepted http method.
Also I assume that returning there from a bookmark won't work either because that post
body information will be missing...
>
> Matt
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user