[keycloak-dev] advice on back button

Bill Burke bburke at redhat.com
Mon Feb 15 08:49:10 EST 2016 

1.9 should solve it.  Basically the back button is "disabled".  Now that 
there are pluggable flows, you should be able to get the behavior you 
want.  If you try out 1.9 ASAP, we can set up the default social login 
flow the way you think it should be.

On 2/15/2016 4:25 AM, Vlastimil Elias wrote:
> Hi,
>
> look at https://issues.jboss.org/browse/ORG-2774 to see why correct
> handling of Back button is necessary ;-)
> Please note that this concrete issue is against Keycloak 1.6, I'm going
> to retest it against KC 1.8 and 1.9 to see if it is resolved or not, but
> it shows how common users behave and what they expect.
>
> I believe that in common flows Back button should work as expected by
> users, not to break common user experience. Simply send user one screen
> back and allow him to correctly perform other actions provided on this
> page. I understand that there may be some flow when this is not possible
> and a bit different behaviour may be used, but these exceptions must be
> carefully considered, not implemented as common rules for all actions.
>
> The bug report also shows that clear Error pages/messages should be
> provided to the users and reasonable action should be provided them to
> recover from error state if possible.
>
> Vlastimil
>
>
> On 26.1.2016 23:36, Bill Burke wrote:
>> The current thinking for browser back button is to set:
>>
>> Cache-Control: no-store, must-revalidate, max-age=0
>>
>> There are possible security issues with this that I don't know if we
>> should do this or not.  Don't know if you remember how ClientSessionCode
>> works, it uses a hash of the client session id and the action key
>> currently stored in the.  When you switch from authentication to
>> required actions, the action key changes.  Now, if you hit the back
>> button on a required action page, it would take you back to an
>> authentication screen.  The code check would fail because the action
>> keys don't match.
>>
>> Do we actually need this action key stuff?  Can we just let the flow
>> manager put the browser in the correct state?  So if an "authenticate"
>> url is hit and the flow is on required actions, just redirect to the
>> required actions URL.   I just worry that this is some sort of security
>> hole somehow.  Maybe we're better off just reseting and restarting the
>> flow entirely.
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list