[keycloak-dev] new browser back button behavior

Stian Thorgersen sthorger at redhat.com
Mon Feb 1 04:44:45 EST 2016 

On 28 January 2016 at 15:47, Bill Burke <bburke at redhat.com> wrote:

> PR is building...
>
> Browser back button will now either restart the flow (and create a new
> client session) or not allow you off your current page depending on the
> protocol and where you are in the flow.
>
> * If your protocol is initiated by a GET request and the back button
> brings you to the 1st rendered page (username/password) this starts a
> new flow
> * If your protocol is initiated by a POST request (SAML Post binding)
> things work a bit differently.  This initial post request will redirect
> you to the "authenticate" URL.  Then if your back button brings you to
> the username/password page, you will not see it and just stay on your
> current page.
> * If your back button click brings you to the 2nd page in the flow, you
> will just be stuck on your current page.
>
> Try it out.  Hopefully all these refresh and back button issues are done
> now.
>
> Some changes to make this happen:
> * The "code" in the URL o the flow used to be generated by hashing the
> current action key, the current action (AUTHENTICATE, REQUIRE_ACTION),
> and the realm secret key.  The action key changed whenever you changed
> the current action...NOW the action key does NOT change for the whole
> flow.  The action key is automatically generated once when you create
> the ClientSession and never changed again.
>

Is the action key even needed then?


> * Consent page no longer changes the current action to OAUTH_GRANT.
> Consent page is now considered a REQUIRED_ACTION action and treated as
> such.  This was to support back button here too.
> * Cache-Control: no-store, must-revalidate, max-age=0  is now set in the
> response for every endpoint on LoginActionsService and any protocol
> entry point.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160201/9b5a522a/attachment.html

More information about the keycloak-dev mailing list