[keycloak-dev] new browser back button behavior

[Bill Burke]

PR is building...

Browser back button will now either restart the flow (and create a new 
client session) or not allow you off your current page depending on the 
protocol and where you are in the flow.

* If your protocol is initiated by a GET request and the back button 
brings you to the 1st rendered page (username/password) this starts a 
new flow
* If your protocol is initiated by a POST request (SAML Post binding) 
things work a bit differently.  This initial post request will redirect 
you to the "authenticate" URL.  Then if your back button brings you to 
the username/password page, you will not see it and just stay on your 
current page.
* If your back button click brings you to the 2nd page in the flow, you 
will just be stuck on your current page.

Try it out.  Hopefully all these refresh and back button issues are done 
now.

Some changes to make this happen:
* The "code" in the URL o the flow used to be generated by hashing the 
current action key, the current action (AUTHENTICATE, REQUIRE_ACTION), 
and the realm secret key.  The action key changed whenever you changed 
the current action...NOW the action key does NOT change for the whole 
flow.  The action key is automatically generated once when you create 
the ClientSession and never changed again.
* Consent page no longer changes the current action to OAUTH_GRANT. 
Consent page is now considered a REQUIRED_ACTION action and treated as 
such.  This was to support back button here too.
* Cache-Control: no-store, must-revalidate, max-age=0  is now set in the 
response for every endpoint on LoginActionsService and any protocol 
entry point.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com