[keycloak-dev] kerberos retry issue we talked about

Stian Thorgersen stian at redhat.com
Thu Jun 18 13:45:28 EDT 2015



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 18 June, 2015 5:54:02 PM
> Subject: [keycloak-dev] kerberos retry issue we talked about
> 
> Hitting the cancel button works.  Hitting the cancel button sends you
> back to the app, which sends you back to keycloak and starts a new
> client session.  So that would work fine.
> 
> What doesn't work is refreshing the page.  Kerberos won't be attempted
> again.  Would it be ok that any browser page refresh might completely
> reset the authentication flow and the user has to re login?  If so, I
> think I have a solution to the problem, but it would take quite a bit of
> refactoring of the auth spi...Not another two months of work :)  But
> probably another few days or a week.

As long as the user is actively refreshing the page that works, but I wonder if there's cases where it could break things. For example if there's high load on the system and some requests time out, then when user retries the request they end up in the beginning of the login flow again.

Why could it not just continue the flow at the step it's on? Basically a challenge wouldn't count as moving on. So when password authenticator sends the challenge for the first request, you'd still be on stage 0 when the user refreshes the page.

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list