Hi,
we encountered a problem in a special use case (Keycloak 4.5.0.Final):
We'd like to display a registration button in our application even when
a user (user1) is logged in.
Directly calling the registration form seems to be supported according
to
http://lists.jboss.org/pipermail/keycloak-user/2016-August/007473.html
However, the login after the registration (of user2) fails when user1
was logged in before.
The problem can be reproduced by following these steps:
1. Log user1 into the account app
2. Open the registration form at
https://<host>/auth/realms/<realm>/protocol/openid-connect/registrations?client_id=account&response_type=code&scope=openid+email&redirect_uri=<url_to_account_app>
3. Register user2
4. After registration, this message is shown: "We're sorry...
You are already authenticated as different user <user1> in this
session. Please logout first."
The message contains a link "Back to Application".
However, user1 is not logged in anymore and the link "Back to
Application" leads to the login form.
This situation is not straightforward for a user to resolve: user1 has
to log in again, then log out, and only then is user2 able to log in.
The reason appears to be that opening the registration form in step 2
deletes the cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. However,
the cookie AUTH_SESSION_ID remains unchanged.
To me it seems that opening the registration form should cause a new
AUTH_SESSION_ID to be generated (beside KEYCLOAK_IDENTITY and
KEYCLOAK_SESSION being cleared).
I'd appreciate any thoughts on that!
Best regards,
Marian