[keycloak-user] What is the point of the cancel button on the log-in screen?
Bill Burke
bburke at redhat.com
Thu Oct 9 13:02:18 EDT 2014
We would have to rememer referrer information somehow via the adapter to
know where to redirect to. This cancel redirection URL would be an
extension to OIDC I think and would require to be validated so that we
don't create an open redirector security vulnerabilities. Maybe we
should we just show a Keycloak rendered error page?
On 10/9/2014 12:46 PM, Stan Silvert wrote:
> I guess I'm stating the obvious, but the cancel button should take you
> back to where you were before being challenged by the login screen. To
> the extent that is possible, the cancel button should stay. We should
> never rely on the back button.
>
> I just tried it on our demo and recreated the 400 error. We should fix
> this if possible.
>
> On 10/9/2014 12:18 PM, Alarik Myrin wrote:
>> At least with the Wildfly adapter, clicking cancel gets you a HTTP 400
>> -- Bad Request on your protected resource, and doing something more
>> graceful would take some thinking.
>>
>> It's not clear to me what *should* happen when clicking cancel. Users
>> in a browser have a back button, or a button to close the tab, and
>> they can always use that to get out of the login screen.
>>
>> Maybe the cancel button should just be removed?
>>
>> Alarik
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list