[keycloak-dev] Automatic logout from KC admin console for non-authorized users
Stan Silvert
ssilvert at redhat.com
Tue Feb 3 18:11:44 EST 2015
On 2/3/2015 4:31 AM, Marek Posolda wrote:
> On 3.2.2015 10:15, Stian Thorgersen wrote:
>> ----- Original Message -----
>>> From: "Marek Posolda" <mposolda at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Tuesday, 3 February, 2015 10:05:19 AM
>>> Subject: [keycloak-dev] Automatic logout from KC admin console for non-authorized users
>>>
>>> Right now, when user goes to keycloak admin console and he doesn't have
>>> access (any admin roles assigned), he is logged out automatically. It's
>>> done by "whoami" endpoint, which returns 401 in this case.
>> +1000 Logging-out the user is just plain stupid, cant' believe we do that
> I've created https://issues.jboss.org/browse/KEYCLOAK-1025
>>> Shouldn't we instead just display some notification like "Forbidden, you
>>> don't have access" instead of automatically logout user?
>>>
>>> My point is links between various admin consoles. For example when user
>>> is logged in hawtio admin console and he click on link to Keycloak admin
>>> console. But when he don't have access, he is logged out automatically,
>>> which does SSO logout and logout him also from hawtio. To me it looks
>>> like bit confusing behaviour tbh.
>>>
>>> Also do we have plan to add support for referrer in KC admin console
>>> similarly like account mgmt has?
>> I don't think referrer is the correct approach. What about if we add a feature to Keycloak that lets you retrieve all applications a user has access to (where a user has at least one role?) and that has a base url configured for it (maybe this should be changed to default page). Then we can use this information to add an application switcher to all consoles (like Google has, see attachment). This is probably something we should discuss with Management .Next guys though ;)
> Looks like great solution from long-term perspective. It's perhaps
> something to discuss with management .next to see if other "product
> consoles" are interested in this feature.
+1 There definitely is interest.
>
> Marek
>>> Marek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list