When using the OIDC prompt=login URL parameter I’m able to successfully get Keycloak to
force the user to authenticate even if he/she had previously authenticated. But I noticed
that when the user re-authenticates the session associated with the previous
authentication in Keycloak is being replaced with a new session. This would break the
first client no?
For example, user authenticates in Keycloak via client1 which established session1 (and
associated RefreshToken1). The user then attempts to access client2 which also redirects
to Keycloak with prompt=login by design. The user as expected is forced to re-authenticate
in Keycloak. Upon successful authentication Keycloak zaps session1 and creates a new user
session (session2 with new associated RefreshToken2) associated with client2.
Now the RefreshToken1 in client1 that is associated to session1 in Keycloak is no longer
valid and attempts by client1 to get a new access token based on RefreshToken1 will fail
requiring authentication. Is this expected when using prompt=login. It seems like when
using prompt=login we can not be using the access token as a bearer token to pass to
downstream resource servers for authentication purposes. This is our primary use case -
ie. to have the user required to authenticate when they access each client and use the
access token in each client as a bearer token for backend service authentication. Doesn’t
seem like this use case is supported.
Is this a right assessment. Does feel like I’m missing something. Shouldn’t it be possible
to have Keycloak track a user session per client that the user authenticates for?
-sud
Show replies by date