[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-user
Subject:    [keycloak-user] Login after registration fails when other user was logged in before
From:       Marian.Rainer-Harbach () apa ! at (Rainer-Harbach Marian)
Date:       2018-11-28 8:56:07
Message-ID: 9b3ee83376a977a4a1251adb1a7953fd83c96ee7.camel () apa ! at
[Download RAW message or body]

Hi,

we encountered a problem in a special use case (Keycloak 4.5.0.Final):
We'd like to display a registration button in our application even when
a user (user1) is logged in.

Directly calling the registration form seems to be supported according
to
http://lists.jboss.org/pipermail/keycloak-user/2016-August/007473.html

However, the login after the registration (of user2) fails when user1
was logged in before.

The problem can be reproduced by following these steps:
1. Log user1 into the account app
2. Open the registration form at \
https://<host>/auth/realms/<realm>/protocol/openid-connect/registrations?client_id=account&response_type=code&scope=openid+email&redirect_uri=<url_to_account_app>
 3. Register user2
4. After registration, this message is shown: "We're sorry...
You are already authenticated as different user <user1> in this
session. Please logout first."
The message contains a link "Back to Application".

However, user1 is not logged in anymore and the link "Back to
Application" leads to the login form.

This situation is not straightforward for a user to resolve: user1 has
to log in again, then log out, and only then is user2 able to log in. 

The reason appears to be that opening the registration form in step 2
deletes the cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. However,
the cookie AUTH_SESSION_ID remains unchanged.

To me it seems that opening the registration form should cause a new
AUTH_SESSION_ID to be generated (beside KEYCLOAK_IDENTITY and
KEYCLOAK_SESSION being cleared).

I'd appreciate any thoughts on that!

Best regards,
Marian


[prev in list] [next in list] [prev in thread] [next in thread]