We’ve been working around a lot of usability issues lately with the javascript adapter and
the state callback and nonce.
It seems like the library is designed around the assumption that the client always
initiates the authorization request which seems like a good idea but in practice there’s a
decent number of use cases where external applications will initiate an authentication
(including bookmarks).
We’re looking at adding a handler before the keycloak initialization to extend the adapter
to ignore state and none. I know, not super secure, but we tried using the “check-sso”
initialization method as a workaround as well but the iframe session check was too overly
complicated than just handling the code and overriding the needless security. Holding
back flasbacks of saml 1.0 with nonce and body hash...
On Aug 24, 2017, at 8:00 AM, Stan Silvert <ssilvert(a)redhat.com>
wrote:
Thanks. That's very useful information. I had no idea that a usability
problem like that even existed. It does make sense though.
Have you tried putting a message on the login page to say, "Don't
bookmark this", or do you mean you've just tried to get the word out
another way?
It might be possible to put a button on the login page that lets the
user bookmark the target application. We could even add this as a
feature of Keycloak if this is a common usability problem. But from my
initial research of the subject, doing so can be a little tricky for
some browsers.
On 8/23/2017 11:01 PM, Matt Evans wrote:
> Sorry, I'm probably not explaining it clearly enough!
>
> We have end users that have followed these steps, assuming
app.example.com is our app
and
idp.example.com is keycloak:
>
> 1) User opens browser to
app.example.com
> 2)
app.example.com detects that they are unauthenticated and redirects them to
idp.example.com with the appropriate oidc parameters
> 3)
idp.example.com keycloak shows the login page, user bookmarks this page so they
can return to it later
> 4) user logs in and is redirected back to
app.example.com
> 5) later they re-open their browser and go to the bookmark, which takes them directly
to keycloak login page with the previous oidc parameters
>
> This seems to be what a lot of our users are doing, and telling them to bookmark
app.example.com, or the page at
app.example.com that they return to after logging in via
keycloak doesn't help
>
> Matt
>
>
> -----Original Message-----
> From: Stan Silvert [mailto:ssilvert@redhat.com]
> Sent: Wednesday, 23 August 2017 10:10 PM
> To: Matt Evans <mevans(a)aconex.com>; keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Bookmarking keycloak login pages
>
> I don't understand what you are saying about people not bookmarking the client
application page "because as soon as they go there they are unauthenticated".
>
> The usual procedure is to log in and then set the bookmark to the main page of the
application. If that main page URL has "auth crud" in it then something is
wrong. They should not bookmark the login page. They bookmark the page presented after
login.
>
> Then if you use the bookmark it will go straight to the application if you are
already logged in. If you are not logged in it presents the login page.
>
>
> On 8/22/2017 9:03 PM, Matt Evans wrote:
>> Currently it fails on returning to the client application. Ideally what
they'd want is that it should work, and the authentication be completed in the client
app and they are logged in. I guess that this is not possible with OIDC as idp-initiated
sso isn't supported.
>>
>> The problem is that the login page is easily bookmarkable. People aren't
bookmarking our client application page, because as soon as they go there they are
unauthenticated and so get immediately redirected to keycloak. The first page of our
client application effectively becomes the keycloak login page with all the query string
auth crud that OIDC adds on, so it's natural that users would bookmark this page to
get back to from their favourites.
>>
>> I wonder if the best we can do in this situation is perhaps:
>>
>> 1) enable POST, so that the client app can POST the OIDC request and
>> include the OIDC auth parameters as post body parameters
>> 2) allow a default url to be set in the realm (or a default client?)
>> 3) allow keycloak to redirect to the default url/client if it receives
>> a GET request on the realm auth endpoint without the required
>> parameters
>>
>> Something like this would allow us to configure keycloak to redirect clients that
have bookmarked the url to our main app for the realm to start the OIDC process off and be
redirected back to keycloak with all the OIDC auth params for a login attempt.
>>
>> -----Original Message-----
>> From: keycloak-user-bounces(a)lists.jboss.org
>> [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stan
>> Silvert
>> Sent: Tuesday, 22 August 2017 8:56 PM
>> To: keycloak-user(a)lists.jboss.org
>> Subject: Re: [keycloak-user] Bookmarking keycloak login pages
>>
>> What do they want to happen after they log in?
>>
>> On 8/21/2017 10:47 PM, Matt Evans wrote:
>>> We have people that have bookmarked the login page of keycloak so that they
can return there and authenticate, rather than go to the client app page and be
redirected.
>>>
>>> This doesn't work because the bookmark they have contains time sensitive
information, e.g. the nonce and state etc. So they can authenticate correctly, but when
redirected to the application it fails.
>>>
>>> Is there anything that can be done for this situation? I thought perhaps
including the information as post body parameters and doing a post rather than redirecting
with query string parameters, but this doesn't work, POST is not an accepted http
method. Also I assume that returning there from a bookmark won't work either because
that post body information will be missing...
>>>
>>> Matt
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user