[keycloak-dev] Why there is extra redirects now

Bill Burke bburke at redhat.com
Fri Nov 13 09:07:39 EST 2015


I'll take another stab at this.

On 11/13/2015 9:02 AM, Bill Burke wrote:
>
>
>
> -------- Forwarded Message --------
> Subject: [keycloak-dev] changes to browser-based flows
> Date: Fri, 16 Oct 2015 10:39:19 -0400
> From: Bill Burke <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org <keycloak-dev at lists.jboss.org>
>
> FYI:  Not important if you are uninterested in design.
>
> Prior to my last commit if you hit the browser refresh button you would
> either have had the authentication flow completely reset or received an
> error page.  Also, changing the local on some required actions pages
> would end up in an error condition.
>
> So...To fix this I made some changes to browser based flows:
>
> * After any successful action processing (i.e. a form POST), the browser
> is sent a 302 redirect to a "safer" page.  If you are in the
> authentication phase, then this redirect will be to
> /authenticate?code={code}, registration /register?code={code}, reset
> credentials /reset-credentials?code={code}, required actions
> /required-action?code={code}.  When these URIs are executed, Keycloak
> will figure out where the user is in the flow and render things
> appropriately.
> * After authentication, the browser will be 302 redirected to
> /required-action?code={code}
>
> The reason for these changes is to support when the user clicks the
> browser refresh button.  The refresh button will resubmit the previous
> request.  Prior to this change there were issues with this.  For
> example, previously, if there was a required action and you just logged
> in via username and password, the URI in the browser would still point
> to the username/password page even though the required action page was
> being rendered.  If the refresh button was hit, the previous username
> password POST would be resent to the username/password page, Keycloak
> would say "WTF are you doing?!?" and abort.  There were similar issues
> like this everywhere.
>
> Other things effected by this fix:
> * required actions no longer change the ACTION_KEY or the
> ClientSessionModel.getAction().
> * ClientSessionModel.getAction() will either be AUTHENTICATION,
> REQUIRED_ACTIONS, EXECUTE_ACTIONS, LOGGED_OUT, or OAUTH_GRANT.
> * After authentication, the flow manager will change the action from
> AUTHENTICATION to REQUIRED_ACTIONS.
>
> Overall, this is less performant as there are additional HTTP redirect
> requests being thrown in, but should provide a better user experience.
>
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list