[keycloak-dev] Multiple user login on the same browser for Account Aggregation application

Thu Jan 17 10:53:03 EST 2019

Not sure I fully understand what you are after.

Are you basically talking about what Google provides where you can login to
multiple accounts at the same time from the browser with the ability to
select accounts when logging into an application as well as ability to
switch between logged-in accounts from within the application itself?

In case you don't know how Google does it, I'll explain it here:

* Login to Gmail first time
* Gmail has an icon that displays your account details and sign out. This
icon also provides an option to add additional accounts
* Clicking add account redirects to login screen and you can now login
using an additional account
* When using a new application and you are logged-in from multiple accounts
Google displays an account selector where you can select which of the
logged-in accounts to use

If this is what you are after and it's implemented as a complete feature we
can consider it, but if it's something else we need to have further
discussions and see if it is something Keycloak should support or if you
should use a custom authentication flow to achieve it.

On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU，TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Hello,
>
> I've used keycloak for such the client application that collect a user's
> information via API provided by a resource server (e.g. collect balance
> from bank’s API).
>
> If the user has multiple accounts in the resource server, the client
> application must collect information on all these accounts. In order to do
> this, the client application let the user conduct an authentication and
> authorization flow for each account on the same browser consecutively.
>
>
> The current keycloak implementation cannot allow a user to login multiple
> accounts consecutively and simultaneously on the same browser. Therefore,
> the user must terminate and restart the browser every time she or he login
> on one of his or him accounts, which is not good for UX perspective. I’ve
> opened JIRA (https://issues.jboss.org/browse/KEYCLOAK-9332).
>
> I have an idea to resolve it and contribute its realization hopefully.
> However, I'm not sure this idea is appropriate or not. So, I am happy to
> get some suggestions and advices on it.
>
> [Idea]
> The current (keycloak-4.8.2.Final) keycloak's implementation seems to be
> as follows:
> RootAuthenticationSessionModel class instance has several
> AuthenticationSessionModel class instances.
> Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID
> Cookie and realm.
> AuthenticationSessionModel is bounded to Browser's tab by
> RootAuthenticationSessionModel, client id, and tab id.
>
> It seems that keycloak allows a user on the same browser to login on the
> same account for several clients per browser's tab, and it is good for Web
> SSO use case. However, it does not work good for Account Aggregation use
> case.
>
> My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID
> Cookie and its related Cookies on the client side (not the server side) at
> the end of an authentication and authorization flow make the browser new to
> logging-in onto keycloak every time. Also, adding a switch to change the
> operation mode from the ordinal Web SSO mode to the proposed one (like
> Securing API mode).
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>