[keycloak-user] Bookmarking keycloak login pages

Matt Evans mevans at aconex.com
Thu Aug 24 20:43:01 EDT 2017


We hadn't thought of putting a message on the page. I think that the users have an inclination to bookmark the login page, as they see it as the first page into the application. It's what they're used to with our current application, the bookmark the login page, and then can get back to it and log straight in.

I was thinking that the trick would be to effectively clean up the url for the login page, the parameters could be part of post body rather than query string params, or maybe the initial auth resource could just read the params and redirect the browser to the actual login page without them, store them in session or something. That would mean that when the user bookmarks the login page the bookmark doesn’t contain the extra parameters.

Keycloak could detect requests to the login page when it doesn't have a session or the params stored for the auth request and redirect the browser to, maybe, a url that is configured for the realm, like a default client url. Which would in turn add the right params, and redirect back to keycloak...

I was trying that originally, I can change our app to use POST not redirect and the url then is nice and clean, but keycloak doesn't accept the POST method on the auth resource, and I hadn't gotten into looking to see if that is just a wildfly config thing that I could enable. I thought I'd ask here to see if anyone had any ideas about solving it first.

-----Original Message-----
From: Stan Silvert [mailto:ssilvert at redhat.com] 
Sent: Thursday, 24 August 2017 10:00 PM
To: Matt Evans <mevans at aconex.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Bookmarking keycloak login pages

Thanks.  That's very useful information.  I had no idea that a usability problem like that even existed.  It does make sense though.

Have you tried putting a message on the login page to say, "Don't bookmark this", or do you mean you've just tried to get the word out another way?

It might be possible to put a button on the login page that lets the user bookmark the target application.  We could even add this as a feature of Keycloak if this is a common usability problem. But from my initial research of the subject, doing so can be a little tricky for some browsers.

On 8/23/2017 11:01 PM, Matt Evans wrote:
> Sorry, I'm probably not explaining it clearly enough!
>
> We have end users that have followed these steps, assuming app.example.com is our app and idp.example.com is keycloak:
>
> 1) User opens browser to app.example.com
> 2) app.example.com detects that they are unauthenticated and redirects 
> them to idp.example.com with the appropriate oidc parameters
> 3) idp.example.com keycloak shows the login page, user bookmarks this 
> page so they can return to it later
> 4) user logs in and is redirected back to app.example.com
> 5) later they re-open their browser and go to the bookmark, which 
> takes them directly to keycloak login page with the previous oidc 
> parameters
>
> This seems to be what a lot of our users are doing, and telling them 
> to bookmark app.example.com, or the page at app.example.com that they 
> return to after logging in via keycloak doesn't help
>
> Matt
>
>
> -----Original Message-----
> From: Stan Silvert [mailto:ssilvert at redhat.com]
> Sent: Wednesday, 23 August 2017 10:10 PM
> To: Matt Evans <mevans at aconex.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Bookmarking keycloak login pages
>
> I don't understand what you are saying about people not bookmarking the client application page "because as soon as they go there they are unauthenticated".
>
> The usual procedure is to log in and then set the bookmark to the main page of the application.  If that main page URL has "auth crud" in it then something is wrong.  They should not bookmark the login page.  They bookmark the page presented after login.
>
> Then if you use the bookmark it will go straight to the application if you are already logged in.  If you are not logged in it presents the login page.
>
>
> On 8/22/2017 9:03 PM, Matt Evans wrote:
>> Currently it fails on returning to the client application. Ideally what they'd want is that it should work, and the authentication be completed in the client app and they are logged in. I guess that this is not possible with OIDC as idp-initiated sso isn't supported.
>>
>> The problem is that the login page is easily bookmarkable. People aren't bookmarking our client application page, because as soon as they go there they are unauthenticated and so get immediately redirected to keycloak. The first page of our client application effectively becomes the keycloak login page with all the query string auth crud that OIDC adds on, so it's natural that users would bookmark this page to get back to from their favourites.
>>
>> I wonder if the best we can do in this situation is perhaps:
>>
>> 1) enable POST, so that the client app can POST the OIDC request and 
>> include the OIDC auth parameters as post body parameters
>> 2) allow a default url to be set in the realm (or a default client?)
>> 3) allow keycloak to redirect to the default url/client if it 
>> receives a GET request on the realm auth endpoint without the 
>> required parameters
>>
>> Something like this would allow us to configure keycloak to redirect clients that have bookmarked the url to our main app for the realm to start the OIDC process off and be redirected back to keycloak with all the OIDC auth params for a login attempt.
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org
>> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan 
>> Silvert
>> Sent: Tuesday, 22 August 2017 8:56 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Bookmarking keycloak login pages
>>
>> What do they want to happen after they log in?
>>
>> On 8/21/2017 10:47 PM, Matt Evans wrote:
>>> We have people that have bookmarked the login page of keycloak so that they can return there and authenticate, rather than go to the client app page and be redirected.
>>>
>>> This doesn't work because the bookmark they have contains time sensitive information, e.g. the nonce and state etc. So they can authenticate correctly, but when redirected to the application it fails.
>>>
>>> Is there anything that can be done for this situation? I thought perhaps including the information as post body parameters and doing a post rather than redirecting with query string parameters, but this doesn't work, POST is not an accepted http method. Also I assume that returning there from a bookmark won't work either because that post body information will be missing...
>>>
>>> Matt
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list