[keycloak-dev] browser refresh and back button issues

Bill Burke bburke at redhat.com
Thu Oct 15 09:20:08 EDT 2015 

I'm working on a solution for this stuff.  For browser flows I'm going 
to do a 302 redirect after successful posts.  I'm also going to do a 302 
redirect after authentication and before going into the required-actions 
phase.  This will get the browser to a "safe" URL that if refresh button 
is hit, the flow manager can decide what the correct state is.  Back 
button will still result in an error screen though.


On 10/14/2015 1:20 PM, Stian Thorgersen wrote:
> I think a) is ok, but not the ideal.
>
> b) however is problematic IMO. In the case of required actions, why not
> just display the next required action associated with the user? That
> would be the equivalent of a.
>
> There's also another bug related to this which is that if you try to
> change the language on a page in the middle of the auth flow it blows up.
>
> On 14 October 2015 at 18:58, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     I've been looking into a couple of "browser refresh" bugs.  Currently,
>     if an HTTP request to the auth flow spi did not match the state of the
>     client session you would
>
>     a) have the flow reset if you were currently in the process of
>     authenticating
>     b) Show an error screen if you aren't currently authenticating (i.e.
>     performing required actions)
>
>     Now I remember why I did it this way.  It is impossible to detect the
>     difference between a browser refresh and somebody hitting the back
>     button and resubmitting a previous form.  Hitting "browser refresh" will
>     resubmit any previous form POST.  So, you have no idea if the user is
>     refreshing the current page or resubmitting after a browser back button.
>
>     So, I think it is best to keep things the way it is now.  Thoughts?
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list