[keycloak-dev] kerberos retry issue we talked about
Bill Burke
bburke at redhat.com
Fri Jun 19 10:40:56 EDT 2015
On 6/19/2015 10:08 AM, Marek Posolda wrote:
> Fact is that for production environment using Kerberos (FreeIPA or
> Windows domain backed by ActiveDirectory) the kerberos ticket is usually
> tight to the desktop login of user and user either has it or not. The
> flow with "display the form, then kinit from CMD to obtain kerberos
> ticket and then refresh the page to retry kerberos" is probably
> something more for development use.
>
> From the possibilities, the (a) seems to me slightly better? For
> example if you accidentally have 2 opened tabs with the login form in
> the browser and you login successfully in tab1, you will have SSO
> cookie, so refresh on tab2 should retry the cookie and logged you
> successfully. In case (b) it won't logged you because cookie won't be
> retried. But not sure if this is not corner case as well ;-)
>
Ok, we'll reset the client session on a refresh. Its already set up
that way in master.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list