Re: [keycloak-user] Kerberos & login, multiple environments with multiple users

I think whether or not session cookies are shared between browser tabs is browser specific, but in Firefox I believe they are shared. You can create separate Firefox "profiles" to get around it: https://bugzilla.mozilla.org/show_bug.cgi?id=117222 ----- Original Message ----- From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: "Dominik Guhr" <pinguwien(a)gmail.com&gt;, "keycloak-user" <keycloak-user(a)lists.jboss.org&gt; Sent: Wednesday, February 28, 2018 3:21:06 PM Subject: Re: [keycloak-user] Kerberos & login, multiple environments with multiple users I am not sure I understand correctly, but generally, Keycloak is browser SSO and being logged in 2 browser tabs in 2 clients as different user is something generally unsupported and can cause various kind of issues. If you want something like this just for development, you can maybe use different realms? Marek On 28/02/18 14:30, Dominik Guhr wrote: > Hi everyone, > > so I've built a custom kerberos authenticator which should, depending on > a querystring, not automatically login. So, when I add &login=manual to > the url, kerberos authenticator starts, checks, and stops. > Now everything is fine when I use this authenticator under normal > conditions, in one tab, but: > > - As a dev, I sometimes have different tabs with different environments > open. e.g. https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Dlocal&d=D... , https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Ddev&d=DwI... - these apps are > different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev > > Now I get logged in via kerberos in myapp-local, logout in myapp-test > and try to login with different credentials manually in myapp-test. > Then, the AuthenticationProcessor raises the following exception when > doing this with kerberos login-enabled browsers (chrome, ie): > > ===================== > 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null, > ipAddress=10.242.50.137, error=different_user_authenticated, > auth_method=openid-connect, auth_type=code, response_type=code, > redirect_uri=https://urldefense.proofpoint.com/v2/url?u=https-3A__myurl_m... , consent=no_consent_required, > previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997, > code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query > 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2) > KC-SERVICES0013: Failed authentication: > org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error > at > org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898) > at > org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796) > at > org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951) > at > org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724) > at > org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) > at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > ================= > and in the browser I get an "unexpected error when handling request to > identity provider" errormsg. > > When doing the same thing in firefox (no kerberos, manual login, open 2 > tabs in 2 different environments and login with different users), I get > at least the errormsg "You are already authenticated as different user > [name] in this session. Please logout first." > > So, my questions are: > - Why is this not possible? > - Is there anything I can do (having a custom authenticator for > kerberos/AD and a custom userstorageprovider for applicationdb) to make > it possible to have different users logged in in different tabs for > different kc-clients in the same realm? > - More specifically: Is there a possibility to use the > AuthenticationProcessor in an SPI without having to make a custom > keycloakbuild and remove the check in line 246/setAuthenticatedUser, or > does this mess up the whole authentication session? > > Would be great to get a hint here. > > Thanks! > > Best regards, > Dominik > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail... _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...