2:01 a.m.
Hello,
I've used keycloak for such the client application that collect a user's
information via API provided by a resource server (e.g. collect balance from bank’s API).
If the user has multiple accounts in the resource server, the client application must
collect information on all these accounts. In order to do this, the client application let
the user conduct an authentication and authorization flow for each account on the same
browser consecutively.
The current keycloak implementation cannot allow a user to login multiple accounts
consecutively and simultaneously on the same browser. Therefore, the user must terminate
and restart the browser every time she or he login on one of his or him accounts, which is
not good for UX perspective. I’ve opened JIRA
(https://issues.jboss.org/browse/KEYCLOAK-9332).
I have an idea to resolve it and contribute its realization hopefully. However, I'm
not sure this idea is appropriate or not. So, I am happy to get some suggestions and
advices on it.
[Idea]
The current (keycloak-4.8.2.Final) keycloak's implementation seems to be as follows:
RootAuthenticationSessionModel class instance has several AuthenticationSessionModel class
instances.
Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID Cookie and realm.
AuthenticationSessionModel is bounded to Browser's tab by
RootAuthenticationSessionModel, client id, and tab id.
It seems that keycloak allows a user on the same browser to login on the same account for
several clients per browser's tab, and it is good for Web SSO use case. However, it
does not work good for Account Aggregation use case.
My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID Cookie and its
related Cookies on the client side (not the server side) at the end of an authentication
and authorization flow make the browser new to logging-in onto keycloak every time. Also,
adding a switch to change the operation mode from the ordinal Web SSO mode to the proposed
one (like Securing API mode).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
9:53 a.m.
Not sure I fully understand what you are after.
Are you basically talking about what Google provides where you can login to
multiple accounts at the same time from the browser with the ability to
select accounts when logging into an application as well as ability to
switch between logged-in accounts from within the application itself?
In case you don't know how Google does it, I'll explain it here:
* Login to Gmail first time
* Gmail has an icon that displays your account details and sign out. This
icon also provides an option to add additional accounts
* Clicking add account redirects to login screen and you can now login
using an additional account
* When using a new application and you are logged-in from multiple accounts
Google displays an account selector where you can select which of the
logged-in accounts to use
If this is what you are after and it's implemented as a complete feature we
can consider it, but if it's something else we need to have further
discussions and see if it is something Keycloak should support or if you
should use a custom authentication flow to achieve it.
On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello,
I've used keycloak for such the client application that collect a user's
information via API provided by a resource server (e.g. collect balance
from bank’s API).
If the user has multiple accounts in the resource server, the client
application must collect information on all these accounts. In order to do
this, the client application let the user conduct an authentication and
authorization flow for each account on the same browser consecutively.
The current keycloak implementation cannot allow a user to login multiple
accounts consecutively and simultaneously on the same browser. Therefore,
the user must terminate and restart the browser every time she or he login
on one of his or him accounts, which is not good for UX perspective. I’ve
opened JIRA (https://issues.jboss.org/browse/KEYCLOAK-9332).
I have an idea to resolve it and contribute its realization hopefully.
However, I'm not sure this idea is appropriate or not. So, I am happy to
get some suggestions and advices on it.
[Idea]
The current (keycloak-4.8.2.Final) keycloak's implementation seems to be
as follows:
RootAuthenticationSessionModel class instance has several
AuthenticationSessionModel class instances.
Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID
Cookie and realm.
AuthenticationSessionModel is bounded to Browser's tab by
RootAuthenticationSessionModel, client id, and tab id.
It seems that keycloak allows a user on the same browser to login on the
same account for several clients per browser's tab, and it is good for Web
SSO use case. However, it does not work good for Account Aggregation use
case.
My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID
Cookie and its related Cookies on the client side (not the server side) at
the end of an authentication and authorization flow make the browser new to
logging-in onto keycloak every time. Also, adding a switch to change the
operation mode from the ordinal Web SSO mode to the proposed one (like
Securing API mode).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:09 p.m.
Thank you for comments. I'm afraid it is not relevant to an external identity provider
directly nor selecting from multiple accounts.
To say shortly, our considering user case is as follows:
In Japan(maybe other countries), there is such the fintech client application that
accesses APIs provided by financial institutions to retrieve some information like
transaction records and balance, and provide its user some useful services like online
automatic housekeeping book, personal financial management, and so on.
It is the case that the user her or himself has multiple accounts on the same bank
(Checking Account, Savings Account, Time Deposit Account, and so on), or the user manages
her or his family member's accounts on the same bank.
If such the user uses this fintech client application for the first time, for this
application to get an access token that is granted, she or he opens a browser, start Authz
Code flow, do authentication and authorization per each account.
In this use case, we need not SSO. We use keycloak only to let a client application get an
access token that is granted by an end user.
For example, a customer (say, Alice) has multiple accounts (say AliceEin, AliceZwei,
AliceDrei) on the keycloak, and want to make the client application (say ClientApp) get
access tokens for each of these accounts (namely, access token granted by AliceEin, access
token granted by AliceZwei, access token granted by AliceDrei).
To do so, this customer opens a browser, start Authz Code flow, do authentication and
authorization per each account. We hope to do it without closing and restarting the
browser.
Procedure is as follows:
1. invoke a browser
2. accesses ClientApp
3. start Authz code flow
4. on keycloak, login as AliceEin
5. tokens for user account "AliceEin" are issued to ClienApp
6. on the same browser, start Authz code flow again
7. on keycloak, login as AliceZwei
8. tokens for user account "AliceZwei" are issued to ClienApp
9. on the same browser, start Authz code flow again
10. on keycloak, login as AliceDrei
11. tokens for user account "AliceDrei" are issued to ClienApp
The expectation is the following:
ClientApp got all in-active access tokens for each user account "AliceEin",
"AliceZwei", and "AliceDrei".
The actual result is the following:
at the procedure 7, keycloak returned the error page saying;
You are already authenticated as different user AliceEin in this session. Please logout
first.
If logout, the access token granted by AliceEin is revoked.
Considering some workaround, Alice close and restart the browser, or use another
browser.
I've recognized that keycloak inherently try to achieve Web SSO, therefore, the result
above is reasonable.
However, in our user case not requiring Web SSO, we would like to achieve the expectation
above.
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Friday, January 18, 2019 12:53 AM
To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: [keycloak-dev] Multiple user login on the same browser for Account
Aggregation application
Not sure I fully understand what you are after.
Are you basically talking about what Google provides where you can login to multiple
accounts at the same time from the browser with the ability to select accounts when
logging into an application as well as ability to switch between logged-in accounts from
within the application itself?
In case you don't know how Google does it, I'll explain it here:
* Login to Gmail first time
* Gmail has an icon that displays your account details and sign out. This icon also
provides an option to add additional accounts
* Clicking add account redirects to login screen and you can now login using an additional
account
* When using a new application and you are logged-in from multiple accounts Google
displays an account selector where you can select which of the logged-in accounts to use
If this is what you are after and it's implemented as a complete feature we can
consider it, but if it's something else we need to have further discussions and see if
it is something Keycloak should support or if you should use a custom authentication flow
to achieve it.
On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU,TAKASHI
<takashi.norimatsu.ws@hitachi.com<mailto:takashi.norimatsu.ws@hitachi.com>>
wrote:
Hello,
I've used keycloak for such the client application that collect a user's
information via API provided by a resource server (e.g. collect balance from bank’s
API).
If the user has multiple accounts in the resource server, the client application must
collect information on all these accounts. In order to do this, the client application let
the user conduct an authentication and authorization flow for each account on the same
browser consecutively.
The current keycloak implementation cannot allow a user to login multiple accounts
consecutively and simultaneously on the same browser. Therefore, the user must terminate
and restart the browser every time she or he login on one of his or him accounts, which is
not good for UX perspective. I’ve opened JIRA
(https://issues.jboss.org/browse/KEYCLOAK-9332<https://clicktime.symant...).
I have an idea to resolve it and contribute its realization hopefully. However, I'm
not sure this idea is appropriate or not. So, I am happy to get some suggestions and
advices on it.
[Idea]
The current (keycloak-4.8.2.Final) keycloak's implementation seems to be as follows:
RootAuthenticationSessionModel class instance has several AuthenticationSessionModel class
instances.
Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID Cookie and
realm.
AuthenticationSessionModel is bounded to Browser's tab by
RootAuthenticationSessionModel, client id, and tab id.
It seems that keycloak allows a user on the same browser to login on the same account for
several clients per browser's tab, and it is good for Web SSO use case. However, it
does not work good for Account Aggregation use case.
My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID Cookie and its
related Cookies on the client side (not the server side) at the end of an authentication
and authorization flow make the browser new to logging-in onto keycloak every time. Also,
adding a switch to change the operation mode from the ordinal Web SSO mode to the proposed
one (like Securing API mode).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev<https://clicktim...
2:17 a.m.
I can see Keycloak adding support for:
* Always requiring login to a specific client, not relying on SSO session.
This can already supported through login=prompt and maximum authentication
time and probably doesn't need anything specific.
* Login to Keycloak with multiple accounts with a way to switch accounts
I don't think what you are after is something we should add directly to
Keycloak, but I believe you can achieve it reasonably easily with a custom
authentication flow.
Keycloak recently added support for the ability to specify a separate flow
for specific clients. That means you can create a new browser flow without
the cookie authenticator and associate with with "ClientApp". This means
that ClientApp will prompt the user for username and password, ignoring the
cookie, while other clients would continue to use the SSO cookie. I think
this will just work as is without any changes needed to Keycloak. It's
probably going to look a bit strange from what open sessions the users has
though.
On Fri, 18 Jan 2019 at 06:09, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
Thank you for comments. I'm afraid it is not relevant to an
external
identity provider directly nor selecting from multiple accounts.
To say shortly, our considering user case is as follows:
In Japan(maybe other countries), there is such the fintech client
application that accesses APIs provided by financial institutions to
retrieve some information like transaction records and balance, and provide
its user some useful services like online automatic housekeeping book,
personal financial management, and so on.
It is the case that the user her or himself has multiple accounts on the
same bank (Checking Account, Savings Account, Time Deposit Account, and so
on), or the user manages her or his family member's accounts on the same
bank.
If such the user uses this fintech client application for the first time,
for this application to get an access token that is granted, she or he
opens a browser, start Authz Code flow, do authentication and authorization
per each account.
In this use case, we need not SSO. We use keycloak only to let a client
application get an access token that is granted by an end user.
For example, a customer (say, Alice) has multiple accounts (say AliceEin,
AliceZwei, AliceDrei) on the keycloak, and want to make the client
application (say ClientApp) get access tokens for each of these accounts
(namely, access token granted by AliceEin, access token granted by
AliceZwei, access token granted by AliceDrei).
To do so, this customer opens a browser, start Authz Code flow, do
authentication and authorization per each account. We hope to do it without
closing and restarting the browser.
Procedure is as follows:
1. invoke a browser
2. accesses ClientApp
3. start Authz code flow
4. on keycloak, login as AliceEin
5. tokens for user account "AliceEin" are issued to ClienApp
6. on the same browser, start Authz code flow again
7. on keycloak, login as AliceZwei
8. tokens for user account "AliceZwei" are issued to ClienApp
9. on the same browser, start Authz code flow again
10. on keycloak, login as AliceDrei
11. tokens for user account "AliceDrei" are issued to ClienApp
The expectation is the following:
ClientApp got all in-active access tokens for each user account
"AliceEin", "AliceZwei", and "AliceDrei".
The actual result is the following:
at the procedure 7, keycloak returned the error page saying;
You are already authenticated as different user AliceEin in this session.
Please logout first.
If logout, the access token granted by AliceEin is revoked.
Considering some workaround, Alice close and restart the browser, or use
another browser.
I've recognized that keycloak inherently try to achieve Web SSO,
therefore, the result above is reasonable.
However, in our user case not requiring Web SSO, we would like to achieve
the expectation above.
*From:* Stian Thorgersen <sthorger(a)redhat.com>
*Sent:* Friday, January 18, 2019 12:53 AM
*To:* 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>
*Cc:* keycloak-dev(a)lists.jboss.org
*Subject:* [!]Re: [keycloak-dev] Multiple user login on the same browser
for Account Aggregation application
Not sure I fully understand what you are after.
Are you basically talking about what Google provides where you can login
to multiple accounts at the same time from the browser with the ability to
select accounts when logging into an application as well as ability to
switch between logged-in accounts from within the application itself?
In case you don't know how Google does it, I'll explain it here:
* Login to Gmail first time
* Gmail has an icon that displays your account details and sign out. This
icon also provides an option to add additional accounts
* Clicking add account redirects to login screen and you can now login
using an additional account
* When using a new application and you are logged-in from multiple
accounts Google displays an account selector where you can select which of
the logged-in accounts to use
If this is what you are after and it's implemented as a complete feature
we can consider it, but if it's something else we need to have further
discussions and see if it is something Keycloak should support or if you
should use a custom authentication flow to achieve it.
On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello,
I've used keycloak for such the client application that collect a user's
information via API provided by a resource server (e.g. collect balance
from bank’s API).
If the user has multiple accounts in the resource server, the client
application must collect information on all these accounts. In order to do
this, the client application let the user conduct an authentication and
authorization flow for each account on the same browser consecutively.
The current keycloak implementation cannot allow a user to login multiple
accounts consecutively and simultaneously on the same browser. Therefore,
the user must terminate and restart the browser every time she or he login
on one of his or him accounts, which is not good for UX perspective. I’ve
opened JIRA (https://issues.jboss.org/browse/KEYCLOAK-9332
<https://clicktime.symantec.com/3Lvd7ed2QRdLsEq6ziXbHvg7Vc?u=https%3A%2F%2...
).
I have an idea to resolve it and contribute its realization hopefully.
However, I'm not sure this idea is appropriate or not. So, I am happy to
get some suggestions and advices on it.
[Idea]
The current (keycloak-4.8.2.Final) keycloak's implementation seems to be
as follows:
RootAuthenticationSessionModel class instance has several
AuthenticationSessionModel class instances.
Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID
Cookie and realm.
AuthenticationSessionModel is bounded to Browser's tab by
RootAuthenticationSessionModel, client id, and tab id.
It seems that keycloak allows a user on the same browser to login on the
same account for several clients per browser's tab, and it is good for Web
SSO use case. However, it does not work good for Account Aggregation use
case.
My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID
Cookie and its related Cookies on the client side (not the server side) at
the end of an authentication and authorization flow make the browser new to
logging-in onto keycloak every time. Also, adding a switch to change the
operation mode from the ordinal Web SSO mode to the proposed one (like
Securing API mode).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://clicktime.symantec.com/3W4zNBtUkGecLAcJy5U61t97Vc?u=https%3A%2F%2...
2:17 a.m.
Thanks a lot for your advice.
I followed what you had said, but unfortunately, it did not work as what I would like to
do.
- On Browser authentication flow, I made "Cookie" authenticator disabled.
- "login=prompt" was added as the authorization code request's query
parameter.
- After login as AliceEin, I tried to login as AliceZwei on the same browser,
AuthenticationProcessor.attachSession returned the error saying "You are already
authenticated as different user 'AliceEin' in this session. Please logout
first.".
I think that this feature is important for securing API access use case. Therefore, I
would like to implement and contribute this feature onto keycloak without interfering with
existing features (e.g. Web SSO).
----------
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Friday, January 18, 2019 5:17 PM
To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: Re: [keycloak-dev] Multiple user login on the same browser for Account
Aggregation application
I can see Keycloak adding support for:
* Always requiring login to a specific client, not relying on SSO session. This can
already supported through login=prompt and maximum authentication time and probably
doesn't need anything specific.
* Login to Keycloak with multiple accounts with a way to switch accounts
I don't think what you are after is something we should add directly to Keycloak, but
I believe you can achieve it reasonably easily with a custom authentication flow.
Keycloak recently added support for the ability to specify a separate flow for specific
clients. That means you can create a new browser flow without the cookie authenticator and
associate with with "ClientApp". This means that ClientApp will prompt the user
for username and password, ignoring the cookie, while other clients would continue to use
the SSO cookie. I think this will just work as is without any changes needed to Keycloak.
It's probably going to look a bit strange from what open sessions the users has
though.
On Fri, 18 Jan 2019 at 06:09, 乗松隆志 / NORIMATSU,TAKASHI
<mailto:takashi.norimatsu.ws@hitachi.com> wrote:
Thank you for comments. I'm afraid it is not relevant to an external identity provider
directly nor selecting from multiple accounts.
To say shortly, our considering user case is as follows:
In Japan(maybe other countries), there is such the fintech client application that
accesses APIs provided by financial institutions to retrieve some information like
transaction records and balance, and provide its user some useful services like online
automatic housekeeping book, personal financial management, and so on.
It is the case that the user her or himself has multiple accounts on the same bank
(Checking Account, Savings Account, Time Deposit Account, and so on), or the user manages
her or his family member's accounts on the same bank.
If such the user uses this fintech client application for the first time, for this
application to get an access token that is granted, she or he opens a browser, start Authz
Code flow, do authentication and authorization per each account.
In this use case, we need not SSO. We use keycloak only to let a client application get an
access token that is granted by an end user.
For example, a customer (say, Alice) has multiple accounts (say AliceEin, AliceZwei,
AliceDrei) on the keycloak, and want to make the client application (say ClientApp) get
access tokens for each of these accounts (namely, access token granted by AliceEin, access
token granted by AliceZwei, access token granted by AliceDrei).
To do so, this customer opens a browser, start Authz Code flow, do authentication and
authorization per each account. We hope to do it without closing and restarting the
browser.
Procedure is as follows:
1. invoke a browser
2. accesses ClientApp
3. start Authz code flow
4. on keycloak, login as AliceEin
5. tokens for user account "AliceEin" are issued to ClienApp
6. on the same browser, start Authz code flow again
7. on keycloak, login as AliceZwei
8. tokens for user account "AliceZwei" are issued to ClienApp
9. on the same browser, start Authz code flow again
10. on keycloak, login as AliceDrei
11. tokens for user account "AliceDrei" are issued to ClienApp
The expectation is the following:
ClientApp got all in-active access tokens for each user account "AliceEin",
"AliceZwei", and "AliceDrei".
The actual result is the following:
at the procedure 7, keycloak returned the error page saying;
You are already authenticated as different user AliceEin in this session. Please logout
first.
If logout, the access token granted by AliceEin is revoked.
Considering some workaround, Alice close and restart the browser, or use another browser.
I've recognized that keycloak inherently try to achieve Web SSO, therefore, the result
above is reasonable.
However, in our user case not requiring Web SSO, we would like to achieve the expectation
above.
From: Stian Thorgersen <mailto:sthorger@redhat.com>
Sent: Friday, January 18, 2019 12:53 AM
To: 乗松隆志 / NORIMATSU,TAKASHI <mailto:takashi.norimatsu.ws@hitachi.com>
Cc: mailto:keycloak-dev@lists.jboss.org
Subject: [!]Re: [keycloak-dev] Multiple user login on the same browser for Account
Aggregation application
Not sure I fully understand what you are after.
Are you basically talking about what Google provides where you can login to multiple
accounts at the same time from the browser with the ability to select accounts when
logging into an application as well as ability to switch between logged-in accounts from
within the application itself?
In case you don't know how Google does it, I'll explain it here:
* Login to Gmail first time
* Gmail has an icon that displays your account details and sign out. This icon also
provides an option to add additional accounts
* Clicking add account redirects to login screen and you can now login using an additional
account
* When using a new application and you are logged-in from multiple accounts Google
displays an account selector where you can select which of the logged-in accounts to use
If this is what you are after and it's implemented as a complete feature we can
consider it, but if it's something else we need to have further discussions and see if
it is something Keycloak should support or if you should use a custom authentication flow
to achieve it.
On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU,TAKASHI
<mailto:takashi.norimatsu.ws@hitachi.com> wrote:
Hello,
I've used keycloak for such the client application that collect a user's
information via API provided by a resource server (e.g. collect balance from bank’s API).
If the user has multiple accounts in the resource server, the client application must
collect information on all these accounts. In order to do this, the client application let
the user conduct an authentication and authorization flow for each account on the same
browser consecutively.
The current keycloak implementation cannot allow a user to login multiple accounts
consecutively and simultaneously on the same browser. Therefore, the user must terminate
and restart the browser every time she or he login on one of his or him accounts, which is
not good for UX perspective. I’ve opened JIRA
(https://clicktime.symantec.com/3Lvd7ed2QRdLsEq6ziXbHvg7Vc?u=https%3A%2F%2...).
I have an idea to resolve it and contribute its realization hopefully. However, I'm
not sure this idea is appropriate or not. So, I am happy to get some suggestions and
advices on it.
[Idea]
The current (keycloak-4.8.2.Final) keycloak's implementation seems to be as follows:
RootAuthenticationSessionModel class instance has several AuthenticationSessionModel class
instances.
Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID Cookie and realm.
AuthenticationSessionModel is bounded to Browser's tab by
RootAuthenticationSessionModel, client id, and tab id.
It seems that keycloak allows a user on the same browser to login on the same account for
several clients per browser's tab, and it is good for Web SSO use case. However, it
does not work good for Account Aggregation use case.
My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID Cookie and its
related Cookies on the client side (not the server side) at the end of an authentication
and authorization flow make the browser new to logging-in onto keycloak every time. Also,
adding a switch to change the operation mode from the ordinal Web SSO mode to the proposed
one (like Securing API mode).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
mailto:keycloak-dev@lists.jboss.org
https://clicktime.symantec.com/3W4zNBtUkGecLAcJy5U61t97Vc?u=https%3A%2F%2...
2:24 a.m.
At this point I don't see any reason why this should be a feature in
Keycloak. If you can't point me to anything that shows this is generically
needed/uses please do. I believe an account select mechanism like I
described would be able to fill your use-case and also be something that is
useful to others.
If there are smaller tweaks that can be made to allow you to create a
custom flow for what you need that can be considered, but we need to
understand the changes required.
On Mon, 21 Jan 2019 at 09:17, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
Thanks a lot for your advice.
I followed what you had said, but unfortunately, it did not work as what I
would like to do.
- On Browser authentication flow, I made "Cookie" authenticator disabled.
- "login=prompt" was added as the authorization code request's query
parameter.
- After login as AliceEin, I tried to login as AliceZwei on the same
browser, AuthenticationProcessor.attachSession returned the error saying
"You are already authenticated as different user 'AliceEin' in this
session. Please logout first.".
I think that this feature is important for securing API access use case.
Therefore, I would like to implement and contribute this feature onto
keycloak without interfering with existing features (e.g. Web SSO).
----------
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Friday, January 18, 2019 5:17 PM
To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: Re: [keycloak-dev] Multiple user login on the same browser
for Account Aggregation application
I can see Keycloak adding support for:
* Always requiring login to a specific client, not relying on SSO session.
This can already supported through login=prompt and maximum authentication
time and probably doesn't need anything specific.
* Login to Keycloak with multiple accounts with a way to switch accounts
I don't think what you are after is something we should add directly to
Keycloak, but I believe you can achieve it reasonably easily with a custom
authentication flow.
Keycloak recently added support for the ability to specify a separate flow
for specific clients. That means you can create a new browser flow without
the cookie authenticator and associate with with "ClientApp". This means
that ClientApp will prompt the user for username and password, ignoring the
cookie, while other clients would continue to use the SSO cookie. I think
this will just work as is without any changes needed to Keycloak. It's
probably going to look a bit strange from what open sessions the users has
though.
On Fri, 18 Jan 2019 at 06:09, 乗松隆志 / NORIMATSU,TAKASHI <mailto:
takashi.norimatsu.ws(a)hitachi.com> wrote:
Thank you for comments. I'm afraid it is not relevant to an external
identity provider directly nor selecting from multiple accounts.
To say shortly, our considering user case is as follows:
In Japan(maybe other countries), there is such the fintech client
application that accesses APIs provided by financial institutions to
retrieve some information like transaction records and balance, and provide
its user some useful services like online automatic housekeeping book,
personal financial management, and so on.
It is the case that the user her or himself has multiple accounts on the
same bank (Checking Account, Savings Account, Time Deposit Account, and so
on), or the user manages her or his family member's accounts on the same
bank.
If such the user uses this fintech client application for the first time,
for this application to get an access token that is granted, she or he
opens a browser, start Authz Code flow, do authentication and authorization
per each account.
In this use case, we need not SSO. We use keycloak only to let a client
application get an access token that is granted by an end user.
For example, a customer (say, Alice) has multiple accounts (say AliceEin,
AliceZwei, AliceDrei) on the keycloak, and want to make the client
application (say ClientApp) get access tokens for each of these accounts
(namely, access token granted by AliceEin, access token granted by
AliceZwei, access token granted by AliceDrei).
To do so, this customer opens a browser, start Authz Code flow, do
authentication and authorization per each account. We hope to do it without
closing and restarting the browser.
Procedure is as follows:
1. invoke a browser
2. accesses ClientApp
3. start Authz code flow
4. on keycloak, login as AliceEin
5. tokens for user account "AliceEin" are issued to ClienApp
6. on the same browser, start Authz code flow again
7. on keycloak, login as AliceZwei
8. tokens for user account "AliceZwei" are issued to ClienApp
9. on the same browser, start Authz code flow again
10. on keycloak, login as AliceDrei
11. tokens for user account "AliceDrei" are issued to ClienApp
The expectation is the following:
ClientApp got all in-active access tokens for each user account
"AliceEin", "AliceZwei", and "AliceDrei".
The actual result is the following:
at the procedure 7, keycloak returned the error page saying;
You are already authenticated as different user AliceEin in this session.
Please logout first.
If logout, the access token granted by AliceEin is revoked.
Considering some workaround, Alice close and restart the browser, or use
another browser.
I've recognized that keycloak inherently try to achieve Web SSO,
therefore, the result above is reasonable.
However, in our user case not requiring Web SSO, we would like to achieve
the expectation above.
From: Stian Thorgersen <mailto:sthorger@redhat.com>
Sent: Friday, January 18, 2019 12:53 AM
To: 乗松隆志 / NORIMATSU,TAKASHI <mailto:takashi.norimatsu.ws@hitachi.com>
Cc: mailto:keycloak-dev@lists.jboss.org
Subject: [!]Re: [keycloak-dev] Multiple user login on the same browser for
Account Aggregation application
Not sure I fully understand what you are after.
Are you basically talking about what Google provides where you can login
to multiple accounts at the same time from the browser with the ability to
select accounts when logging into an application as well as ability to
switch between logged-in accounts from within the application itself?
In case you don't know how Google does it, I'll explain it here:
* Login to Gmail first time
* Gmail has an icon that displays your account details and sign out. This
icon also provides an option to add additional accounts
* Clicking add account redirects to login screen and you can now login
using an additional account
* When using a new application and you are logged-in from multiple
accounts Google displays an account selector where you can select which of
the logged-in accounts to use
If this is what you are after and it's implemented as a complete feature
we can consider it, but if it's something else we need to have further
discussions and see if it is something Keycloak should support or if you
should use a custom authentication flow to achieve it.
On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU,TAKASHI <mailto:
takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello,
I've used keycloak for such the client application that collect a user's
information via API provided by a resource server (e.g. collect balance
from bank’s API).
If the user has multiple accounts in the resource server, the client
application must collect information on all these accounts. In order to do
this, the client application let the user conduct an authentication and
authorization flow for each account on the same browser consecutively.
The current keycloak implementation cannot allow a user to login multiple
accounts consecutively and simultaneously on the same browser. Therefore,
the user must terminate and restart the browser every time she or he login
on one of his or him accounts, which is not good for UX perspective. I’ve
opened JIRA (
https://clicktime.symantec.com/3Lvd7ed2QRdLsEq6ziXbHvg7Vc?u=https%3A%2F%2...
).
I have an idea to resolve it and contribute its realization hopefully.
However, I'm not sure this idea is appropriate or not. So, I am happy to
get some suggestions and advices on it.
[Idea]
The current (keycloak-4.8.2.Final) keycloak's implementation seems to be
as follows:
RootAuthenticationSessionModel class instance has several
AuthenticationSessionModel class instances.
Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID
Cookie and realm.
AuthenticationSessionModel is bounded to Browser's tab by
RootAuthenticationSessionModel, client id, and tab id.
It seems that keycloak allows a user on the same browser to login on the
same account for several clients per browser's tab, and it is good for Web
SSO use case. However, it does not work good for Account Aggregation use
case.
My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID
Cookie and its related Cookies on the client side (not the server side) at
the end of an authentication and authorization flow make the browser new to
logging-in onto keycloak every time. Also, adding a switch to change the
operation mode from the ordinal Web SSO mode to the proposed one (like
Securing API mode).
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
mailto:keycloak-dev@lists.jboss.org
https://clicktime.symantec.com/3W4zNBtUkGecLAcJy5U61t97Vc?u=https%3A%2F%2...
2167
days inactive
2172
days old
5 comments
2 participants
participants (2)
-
Stian Thorgersen -
乗松隆志 / NORIMATSU,TAKASHI