[keycloak-dev] Provide a Link to go Back to The Application on a Timeout

Marek Posolda mposolda at redhat.com
Thu May 18 03:13:05 EDT 2017


Sorry. What I meant is, that if we introduce this, we won't need to put 
the URL into the freemarker template itself, but instead put it to 
UrlBean. You're right that it's probably not here right now, so in your 
theme, you may need to hardcode it in freemarker theme itself at this 
moment.

Marek

On 18/05/17 09:07, Luke Robinson wrote:
> I did look at using UrlBean because I knew that 
> org.keycloak.forms.account.freemarker.model.UrlBean has 
> getApplicationsUrl() for use in the account theme but I couldn't find 
> anything in the org.keycloak.forms.login.freemarker.model.UrlBean 
> available to error.ftl that would give us what we are after.
>
> We're using RHSSO 7.0 (moving to 7.1 shortly) so things may have 
> changed since 1.9.8 / 2.5.5 but having a quick skim of the code in 
> master now I expect that this is still the case.
>
> Luke
>
>
> Quoting Marek Posolda <mposolda at redhat.com>:
>
>> On 18/05/17 03:26, luke at anotherrobbo.com wrote:
>>> For what it's worth, option 3 is similar to what we have implemented
>>> in our theme's error.ftl.
>>>
>>> Our main use case was for expired email confirmation / password reset
>>> links (we'd really like to see something done with
>>> https://issues.jboss.org/browse/KEYCLOAK-3631 so we can increase our
>>> limits past the SSO idle time but that's another issue!)
>> Good news for you. We introduced action tokens recently and it's in 
>> latest master. This introduces separate timeout for admin actions 
>> (among other things). In other words, your use-case from 
>> KEYCLOAK-3631 should be already possible with latest master and will 
>> be in 3.2.0 release.
>>>
>>> We've hardcoded the url (${msg("attemptLogin", "/auth/realms/" +
>>> realm.name + "/account/applications")}), it would certainly be nice to
>>> have a better way of doing this so the theme doesn't need to know the
>>> URL?
>> Yes, we already have URLBean, which is used to abstracts the URL 
>> creation logic from the freemarker template itself.
>>
>> Marek
>>>
>>> Cheers,
>>>
>>> Luke
>>>
>>> Quoting Marek Posolda <mposolda at redhat.com>:
>>>
>>>> Maybe yes.
>>>>
>>>> There is also the case when the link of login page can be copy/pasted
>>>> somehow and opened in new browser. The KC_RESTART cookie then also 
>>>> won't
>>>> be visible. But this really looks like corner case...
>>>>
>>>> Maybe we can have the combination of 1 and 3? Have the cookie 
>>>> persistent
>>>> and show the page with account management link just if KC_RESTART 
>>>> cookie
>>>> is really unavailable.
>>>>
>>>> Marek
>>>>
>>>> On 17/05/17 15:09, Schuster Sebastian (INST/ESY1) wrote:
>>>>> Wouldn't 1) be a good option as browser restarts are the vast
>>>>> majority compared to history deletion?
>>>>> Even our very restrictive company directives don't clear the
>>>>> browser history on exit while messing around
>>>>> with a lot of my other browser settings...
>>>>>
>>>>> Best regards,
>>>>> Sebastian
>>>>>
>>>>> Mit freundlichen Grüßen / Best regards
>>>>>
>>>>>   Sebastian Schuster
>>>>>
>>>>> Engineering and Support (INST/ESY1)
>>>>> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785
>>>>> Berlin | GERMANY | www.bosch-si.com
>>>>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>>>>> Sebastian.Schuster at bosch-si.com
>>>>>
>>>>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 
>>>>> 148411 B
>>>>> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-
>>>>>> bounces at lists.jboss.org] On Behalf Of Marek Posolda
>>>>>> Sent: Mittwoch, 17. Mai 2017 11:36
>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>> Subject: [keycloak-dev] Provide a Link to go Back to The
>>>>>> Application on a Timeout
>>>>>>
>>>>>> We have the issue that after session timeout, the page "An error
>>>>>> occurred, please
>>>>>> login again through your application." can be shown.
>>>>>> This is even worse when there is no link to go back to the
>>>>>> application as users
>>>>>> might be confused what to do. Details in
>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4016 .
>>>>>>
>>>>>> This is already handled in many cases as when authentication
>>>>>> session is expired, it
>>>>>> is always restarted from the KC_RESTART cookie.
>>>>>>
>>>>>> However there are still cases when this error is shown, which is
>>>>>> when the restart
>>>>>> from the cookie failed. This can happen when browser history
>>>>>> (including cookies)
>>>>>> was cleared or when user restarted the browser (as the KC_RESTART
>>>>>> cookie is not
>>>>>> persistent).
>>>>>>
>>>>>> Some possibilities to solve:
>>>>>> 1) Make the KC_RESTART cookie persistent. That will handle 
>>>>>> browser restart,
>>>>>> however it won't handle the case when browser history is deleted
>>>>>>
>>>>>> 2) Add client-id to every link as Stefan Baust suggested. Then we
>>>>>> can add the link
>>>>>> to client base uri on the page. This is more work with the
>>>>>> possibility of error-prone
>>>>>> if we miss to add the client-id to some link.
>>>>>> Also we will be able to provide the link just if client has 
>>>>>> "base-uri"
>>>>>> configured.
>>>>>>
>>>>>> 3) Add the link to the account management application page. After
>>>>>> successful
>>>>>> login will be shown list of applications in account management and
>>>>>> user can click
>>>>>> to his favourite application. Message would need to be changed to
>>>>>> something like
>>>>>> "An error occurred, please login again through your application or
>>>>>> go to the
>>>>>> <link>list of applications<link> and select your application 
>>>>>> after login."
>>>>>>
>>>>>> My preference is 3, 2, 1. WDYT? Any other ideas?
>>>>>>
>>>>>> Thanks,
>>>>>> Marek
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>



More information about the keycloak-dev mailing list