[keycloak-dev] Provide a Link to go Back to The Application on a Timeout

luke at anotherrobbo.com luke at anotherrobbo.com
Wed May 17 21:26:32 EDT 2017


For what it's worth, option 3 is similar to what we have implemented  
in our theme's error.ftl.

Our main use case was for expired email confirmation / password reset  
links (we'd really like to see something done with  
https://issues.jboss.org/browse/KEYCLOAK-3631 so we can increase our  
limits past the SSO idle time but that's another issue!)

We've hardcoded the url (${msg("attemptLogin", "/auth/realms/" +  
realm.name + "/account/applications")}), it would certainly be nice to  
have a better way of doing this so the theme doesn't need to know the  
URL?

Cheers,

Luke

Quoting Marek Posolda <mposolda at redhat.com>:

> Maybe yes.
>
> There is also the case when the link of login page can be copy/pasted
> somehow and opened in new browser. The KC_RESTART cookie then also won't
> be visible. But this really looks like corner case...
>
> Maybe we can have the combination of 1 and 3? Have the cookie persistent
> and show the page with account management link just if KC_RESTART cookie
> is really unavailable.
>
> Marek
>
> On 17/05/17 15:09, Schuster Sebastian (INST/ESY1) wrote:
>> Wouldn't 1) be a good option as browser restarts are the vast  
>> majority compared to history deletion?
>> Even our very restrictive company directives don't clear the  
>> browser history on exit while messing around
>> with a lot of my other browser settings...
>>
>> Best regards,
>> Sebastian
>>
>> Mit freundlichen Grüßen / Best regards
>>
>>   Sebastian Schuster
>>
>> Engineering and Support (INST/ESY1)
>> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785  
>> Berlin | GERMANY | www.bosch-si.com
>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |  
>> Sebastian.Schuster at bosch-si.com
>>
>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-
>>> bounces at lists.jboss.org] On Behalf Of Marek Posolda
>>> Sent: Mittwoch, 17. Mai 2017 11:36
>>> To: keycloak-dev at lists.jboss.org
>>> Subject: [keycloak-dev] Provide a Link to go Back to The  
>>> Application on a Timeout
>>>
>>> We have the issue that after session timeout, the page "An error  
>>> occurred, please
>>> login again through your application." can be shown.
>>> This is even worse when there is no link to go back to the  
>>> application as users
>>> might be confused what to do. Details in
>>> https://issues.jboss.org/browse/KEYCLOAK-4016 .
>>>
>>> This is already handled in many cases as when authentication  
>>> session is expired, it
>>> is always restarted from the KC_RESTART cookie.
>>>
>>> However there are still cases when this error is shown, which is  
>>> when the restart
>>> from the cookie failed. This can happen when browser history  
>>> (including cookies)
>>> was cleared or when user restarted the browser (as the KC_RESTART  
>>> cookie is not
>>> persistent).
>>>
>>> Some possibilities to solve:
>>> 1) Make the KC_RESTART cookie persistent. That will handle browser restart,
>>> however it won't handle the case when browser history is deleted
>>>
>>> 2) Add client-id to every link as Stefan Baust suggested. Then we  
>>> can add the link
>>> to client base uri on the page. This is more work with the  
>>> possibility of error-prone
>>> if we miss to add the client-id to some link.
>>> Also we will be able to provide the link just if client has "base-uri"
>>> configured.
>>>
>>> 3) Add the link to the account management application page. After  
>>> successful
>>> login will be shown list of applications in account management and  
>>> user can click
>>> to his favourite application. Message would need to be changed to  
>>> something like
>>> "An error occurred, please login again through your application or  
>>> go to the
>>> <link>list of applications<link> and select your application after login."
>>>
>>> My preference is 3, 2, 1. WDYT? Any other ideas?
>>>
>>> Thanks,
>>> Marek
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev





More information about the keycloak-dev mailing list