[keycloak-dev] ui_locales query parameter?
Stan Silvert
ssilvert at redhat.com
Tue Apr 17 11:32:23 EDT 2018
On 4/17/2018 10:05 AM, Marek Posolda wrote:
> On 17/04/18 15:59, Marek Posolda wrote:
>> On 17/04/18 15:00, Stan Silvert wrote:
>>> On 4/16/2018 1:51 PM, Stian Thorgersen wrote:
>>>> kc_locale is only aimed at internal use. You should use ui_locales
>>>> that's the publicly available param.
>>> The problem is that I need the server-side logic associated with
>>> kc_locale. kc_locale will update the cookie and update the UserModel.
>>> ui_locales is just a pass-through back to the application.
>>>
>>> So we can either add kc_locale as a login param in keycloak.js or we
>>> can
>>> add the server-side logic to ui_locales. The simplest is to do the
>>> former. But perhaps we should have been doing the latter all along?
>> IMO the ui_locales parameter shouldn't update the UserModel. It's
>> possible that there would be 2 different applications and both of
>> them will send different values of ui_locales parameter. In that
>> case, when user switch between application1 and application2 (on each
>> SSO login), there will be update to UserModel, which is not good
>> regarding performance IMO.
>>
>> I can see in LocaleHelper.getUserLocale that the order about how the
>> locale is resolved is:
>> 1. kc_locale parameter
>> 2. KEYCLOAK_LOCALE cookie
>> 3. UserModel attribute
>> 4. ui_locales query parameter
>> 5. Accept-Language header
>>
>> Is this order proper or not? AFAIK the first 3 items are used just if
>> user explicitly selects the language on Keycloak login screen (or
>> account mgmt screen). If we put ui_locales up, we will defacto give
>> the control to application to override the localization, which user
>> explicitly chosen on login screen. Do we want to do that? Is it good
>> regarding usability? I think that not, but maybe I am wrong...
> I noticed one more thing, that LocaleHelper is reading just the
> ui_locales parameter. This is not good as the ui_locales parameter is
> available just in very 1st request sent to the login screen, but not
> in subsequent requests. So for example I think that current flow is
> like this:
> - Application sent parameter "ui_locales=cs"
> - Login page is displayed in czech language (assuming user did not
> explicitly set locale before and hence his userModel doesn't have
> filled locale). This is correct behaviour
> - User filled username/password. Now the TOTP page (or any
> requiredActions page for example) is shown. But it is shown in default
> locale as ui_locales query parameter is not available anymore. It is
> just in very 1st request to login screen. This is not correct
> behaviour IMO. The locale "cs" should be used for the rest of whole
> login session.
>
> Am I correct that this workflow is broken?
>
> If yes, the solution might be to add locale as the note to
> AuthenticationSessionModel . And then use the note from
> AuthenticationSessionModel in LocaleHelper instead of ui_locales query
> parameter.
>
> Marek
Here is what the spec says:
Preferred Locales
OPs MUST support requests for preferred languages and scripts for
the user interface and for Claims via the ui_locales and
claims_locales request parameters, as defined in Section 3.1.2
<http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint>.
(Note that the minimum level of support required for these
parameters is simply to have their use not result in errors.)
I think you are correct that Keycloak doesn't actually do anything with
the ui_locales param except to possibly use it as the Locale for that
one request. We don't throw an error, so I guess we meet the minimum
level of support?
It looks like kc_locale does what ui_locales was intended for. But the
spec does not tell us exactly what the IDP must do when it sees ui_locales.
>>
>> Marek
>>
>>>
>>>> On 16 April 2018 at 16:06, Stan Silvert <ssilvert at redhat.com
>>>> <mailto:ssilvert at redhat.com>> wrote:
>>>>
>>>> OK.
>>>>
>>>> Does anyone object to adding kc_locale to the login options on
>>>> the
>>>> keycloak.js adapter?
>>>>
>>>>
>>>>
>>>> On 4/16/2018 2:45 AM, Stian Thorgersen wrote:
>>>>> It's a query param defined by OpenID Connect. See
>>>>> http://openid.net/specs/openid-connect-core-1_0.html
>>>>> <http://openid.net/specs/openid-connect-core-1_0.html>. It allows
>>>>> the application to pass a list of req locales in case the
>>>>> application knows it.
>>>>>
>>>>> When doing the redirect login flow the applications should use
>>>>> ui_locales. kc_locale is an internal param and should really
>>>>> only
>>>>> be used by the locale switcher on the login screen.
>>>>>
>>>>> On 16 April 2018 at 02:44, Stan Silvert <ssilvert at redhat.com
>>>>> <mailto:ssilvert at redhat.com>> wrote:
>>>>>
>>>>> Does anyone know what ui_locales is actually used for?
>>>>>
>>>>> I can't find usages except for in the testsuite.
>>>>>
>>>>> The query param used to change locale is kc_locale. Should
>>>>> ui_locales
>>>>> deprecated?
>>>>>
>>>>> Stan
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> <mailto:keycloak-dev at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>
More information about the keycloak-dev
mailing list