[keycloak-user] Browser not maintaining session for keycloak users
Marek Posolda
mposolda at redhat.com
Fri Aug 24 03:23:29 EDT 2018
Hi,
it seems this may be a bug. Please create JIRA, ideally with reliable
steps to reproduce and your application attached.
Marek
On 24/08/18 09:04, keycloak demo wrote:
> Marek,
>
> I tried one more thing today. Exported entire realm from Keycloak 3.4
> server and imported it in 4.3 server *and I still see the same
> behavior i.e. even with same realm , session is being maintained in
> keycloak 3.4, whereas with same realm/config the keycloak 4.3
> installation is not maintaining session* (due to absence of
> KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie in case of 4.x)
>
> (Again, both the keycloak 3.4.3 and 4.3.0 are on same machine. Client
> app is also on same machine. Accessed from same browser. Realm +
> client is also same in above test and yet the 2 installations show
> different behavior)
>
> On Thu, Aug 23, 2018 at 3:34 PM keycloak demo <testoauth55 at gmail.com
> <mailto:testoauth55 at gmail.com>> wrote:
>
> Marek,
>
> Proxy/Load balancer are not being used and I am accessing keycloak
> directly. In fact both 3.4.3 version and 4.X version are running
> on same machine and are accessed through same browser locally via
> http://localhost:<port>/auth by apps.
>
> So the only difference the 2 instance(3.x and 4.x) have are
> different port numbers(which won't make any difference anyway.)
> and yet they show different behavior in terms of setting cookies.
>
> I assume the absence of KEYCLOAK_IDENTITY and KEYCLOAK_SESSION
> cookie would be the reason for session not getting maintained.
>
>
> On Thu, Aug 23, 2018 at 1:04 PM Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> Hmm... in your post, I see that cookies KEYCLOAK_IDENTITY and
> KEYCLOAK_SESSION are not present in Keycloak 4.X. Those are
> the cookies, which are important for the automatic SSO
> re-authentication.
>
> Those cookies should be added by Keycloak after successful
> first authentication. So at the moment, when you first
> authenticate and the page "You may close this browser window
> and go back to your console application.", the cookies should
> be there. BTV. Do you have Keycloak behind some
> proxy/loadbalancer or are you accessing it directly? If you're
> behind proxy/LB, could you try to access KEycloak host
> directly without any proxy/LB involved in between?
>
> Marek
>
> On 23/08/18 07:25, keycloak demo wrote:
>> Thanks Marek for the update,
>>
>> I understand that
>> https://issues.jboss.org/browse/KEYCLOAK-5179 mentions the
>> issue pertaining to message: "You are already logged in". But
>> will the second issue that I reported also be fixed in this bug?
>>
>> /*Issue summary:*/ When a user logs in he is shown the
>> message: "You may close this browser window and go back to
>> your console application.". Now if I open a new tab, the user
>> should be logged in right? But he is shown the login form again.
>>
>> This issue was not coming in Keycloak 3.4.3 and session was
>> being maintained by browser. But I found this issue on 4.1.0
>> and also on 4.3.0. In the 4.x version I see a cookie
>> *KC_RESTART* cookie instead of *KC_SESSION* cookie in cookies
>> section which might be the reason.
>>
>> *Here's the post containing complete details of above issue
>> with screenshots:*
>> https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser
>>
>>
>>
>> On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> We have opened JIRA for this:
>> https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully
>> it's fixed
>> relatively soon in one of the next releases.
>>
>> Marek
>>
>> On 17/08/18 07:47, keycloak demo wrote:
>> > Update:
>> >
>> > Facing the same issue on keycloak 4.3.0.final. I have
>> taken a fresh
>> > instance of keycloak 4.3.0 and created just 2 users,
>> but still facing the
>> > same issue of browser not maintaining session.
>> >
>> > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo
>> <testoauth55 at gmail.com <mailto:testoauth55 at gmail.com>>
>> > wrote:
>> >
>> >> Can someone please help me on this issue?
>> >>
>> >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo
>> <testoauth55 at gmail.com <mailto:testoauth55 at gmail.com>>
>> >> wrote:
>> >>
>> >>> Another update:
>> >>>
>> >>> Though the login form appears every time but if i
>> login with a different
>> >>> user the second time i.e. launch client app -> login
>> with user1 -> relaunch
>> >>> client app (browser shows login form instead of
>> already logged in message)
>> >>> -> now login with user2.
>> >>>
>> >>> I get following message:
>> >>> " We're sorry...You are already authenticated as
>> different user 'user1'
>> >>> in this session. Please logout first."
>> >>> If it's able to know another user is logged in, then
>> why the login form
>> >>> is appearing?
>> >>>
>> >>>
>> >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth
>> <testoauth55 at gmail.com <mailto:testoauth55 at gmail.com>>
>> >>> wrote:
>> >>>
>> >>>> An update on my findings: When I checked developer
>> console: I am getting
>> >>>> KC_RESTART cookie in cookies section.
>> >>>>
>> >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth
>> <testoauth55 at gmail.com <mailto:testoauth55 at gmail.com>>
>> >>>> wrote:
>> >>>>
>> >>>>> Yes sir,
>> >>>>> I followed the doc https://www.keycloak.org/docs/
>> >>>>> latest/securing_apps/index.html#_installed_adapter.
>> And am seeing the
>> >>>>> same behavior on chrome and firefox.
>> >>>>>
>> >>>>> Also regarding the manual mode, I see the same
>> behavior i.e I have to
>> >>>>> re-login for each re-run of the client app.
>> >>>>>
>> >>>>> But if I do this:
>> >>>>>
>> >>>>> System.out.println("Login through manual mode");
>> >>>>> keycloak.loginManual();
>> >>>>> System.out.println("Login through browser");
>> >>>>> keycloak.loginDesktop();
>> >>>>>
>> >>>>> i.e. if I call both modes in the same code or even
>> same mode twice in
>> >>>>> the same code, then I don't have to re-login for
>> second call (in the above
>> >>>>> example for loginDesktop). However when I re-run
>> the application, I need to
>> >>>>> re-login. This might be a stupid guess but could
>> these sessions be "java
>> >>>>> object specific"?
>> >>>>>
>> >>>>>
>> >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
>> <dt at acutus.pro <mailto:dt at acutus.pro>> wrote:
>> >>>>>
>> >>>>>> Hi,
>> >>>>>>
>> >>>>>> Did you do everything in accordance with the docs?
>> >>>>>>
>> https://www.keycloak.org/docs/latest/securing_apps/index.htm
>> >>>>>> l#_installed_adapter
>> >>>>>>
>> >>>>>> Do you experience this in "manual" mode too?
>> >>>>>>
>> >>>>>> Cheers,
>> >>>>>> Dmitry Telegin
>> >>>>>> CTO, Acutus s.r.o.
>> >>>>>> Keycloak Consulting and Training
>> >>>>>>
>> >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech
>> Republic
>> >>>>>> +42 (022) 888-30-71
>> >>>>>> E-mail: info at acutus.pro <mailto:info at acutus.pro>
>> >>>>>>
>> >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote:
>> >>>>>>> I am using openid-connect for authenticating
>> users. After successful
>> >>>>>>> authentication, browser windows says:
>> >>>>>>> "Login Successful
>> >>>>>>>
>> >>>>>>> You may close this browser window and go back to
>> your console
>> >>>>>> application."
>> >>>>>>> However, even without closing the window if I
>> relaunch my application
>> >>>>>>> (using keycloak.loginDesktop();) even within 10
>> seconds, still the
>> >>>>>> login
>> >>>>>>> page appears instead of : you are already logged in.
>> >>>>>>>
>> >>>>>>> Browser: Firefox.
>> >>>>>>> _______________________________________________
>> >>>>>>> keycloak-user mailing list
>> >>>>>>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> >>>>>>>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
More information about the keycloak-user
mailing list