[keycloak-user] sessions when using prompt=login

[Sud Ramasamy]

When using the OIDC prompt=login URL parameter I’m able to successfully get Keycloak to force the user to authenticate even if he/she had previously authenticated. But I noticed that when the user re-authenticates the session associated with the previous authentication in Keycloak is being replaced with a new session. This would break the first client no?

For example, user authenticates in Keycloak via client1 which established session1 (and associated RefreshToken1). The user then attempts to access client2 which also redirects to Keycloak with prompt=login by design. The user as expected is forced to re-authenticate in Keycloak. Upon successful authentication Keycloak zaps session1 and creates a new user session (session2 with new associated RefreshToken2) associated with client2. 

Now the RefreshToken1 in client1 that is associated to session1 in Keycloak is no longer valid and attempts by client1 to get a new access token based on RefreshToken1 will fail requiring authentication. Is this expected when using prompt=login. It seems like when using prompt=login we can not be using the access token as a bearer token to pass to downstream resource servers for authentication purposes. This is our primary use case - ie. to have the user required to authenticate when they access each client and use the access token in each client as a bearer token for backend service authentication. Doesn’t seem like this use case is supported.

Is this a right assessment. Does feel like I’m missing something. Shouldn’t it be possible to have Keycloak track a user session per client that the user authenticates for?

-sud