[keycloak-dev] Multiple user login on the same browser for Account Aggregation application

Stian Thorgersen sthorger at redhat.com
Mon Jan 21 03:24:26 EST 2019


At this point I don't see any reason why this should be a feature in
Keycloak. If you can't point me to anything that shows this is generically
needed/uses please do. I believe an account select mechanism like I
described would be able to fill your use-case and also be something that is
useful to others.

If there are smaller tweaks that can be made to allow you to create a
custom flow for what you need that can be considered, but we need to
understand the changes required.

On Mon, 21 Jan 2019 at 09:17, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Thanks a lot for your advice.
>
> I followed what you had said, but unfortunately, it did not work as what I
> would like to do.
>
> - On Browser authentication flow, I made "Cookie" authenticator disabled.
> - "login=prompt" was added as the authorization code request's query
> parameter.
> - After login as AliceEin, I tried to login as AliceZwei on the same
> browser, AuthenticationProcessor.attachSession returned the error saying
> "You are already authenticated as different user 'AliceEin' in this
> session. Please logout first.".
>
> I think that this feature is important for securing API access use case.
> Therefore, I would like to implement and contribute this feature onto
> keycloak without interfering with existing features (e.g. Web SSO).
>
> ----------
> From: Stian Thorgersen <sthorger at redhat.com>
> Sent: Friday, January 18, 2019 5:17 PM
> To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws at hitachi.com>
> Cc: keycloak-dev at lists.jboss.org
> Subject: [!]Re: Re: [keycloak-dev] Multiple user login on the same browser
> for Account Aggregation application
>
> I can see Keycloak adding support for:
>
> * Always requiring login to a specific client, not relying on SSO session.
> This can already supported through login=prompt and maximum authentication
> time and probably doesn't need anything specific.
> * Login to Keycloak with multiple accounts with a way to switch accounts
>
> I don't think what you are after is something we should add directly to
> Keycloak, but I believe you can achieve it reasonably easily with a custom
> authentication flow.
>
> Keycloak recently added support for the ability to specify a separate flow
> for specific clients. That means you can create a new browser flow without
> the cookie authenticator and associate with with "ClientApp". This means
> that ClientApp will prompt the user for username and password, ignoring the
> cookie, while other clients would continue to use the SSO cookie. I think
> this will just work as is without any changes needed to Keycloak. It's
> probably going to look a bit strange from what open sessions the users has
> though.
>
> On Fri, 18 Jan 2019 at 06:09, 乗松隆志 / NORIMATSU,TAKASHI <mailto:
> takashi.norimatsu.ws at hitachi.com> wrote:
> Thank you for comments. I'm afraid it is not relevant to an external
> identity provider directly nor selecting from multiple accounts.
>
> To say shortly, our considering user case is as follows:
>
> In Japan(maybe other countries), there is such the fintech client
> application that accesses APIs provided by financial institutions to
> retrieve some information like transaction records and balance, and provide
> its user some useful services like online automatic housekeeping book,
> personal financial management, and so on.
>
> It is the case that the user her or himself has multiple accounts on the
> same bank (Checking Account, Savings Account, Time Deposit Account, and so
> on), or the user manages her or his family member's accounts on the same
> bank.
>
> If such the user uses this fintech client application for the first time,
> for this application to get an access token that is granted, she or he
> opens a browser, start Authz Code flow, do authentication and authorization
> per each account.
>
>
>
> In this use case, we need not SSO. We use keycloak only to let a client
> application get an access token that is granted by an end user.
>
> For example, a customer (say, Alice) has multiple accounts (say AliceEin,
> AliceZwei, AliceDrei) on the keycloak, and want to make the client
> application (say ClientApp) get access tokens for each of these accounts
> (namely, access token granted by AliceEin, access token granted by
> AliceZwei, access token granted by AliceDrei).
>
> To do so, this customer opens a browser, start Authz Code flow, do
> authentication and authorization per each account. We hope to do it without
> closing and restarting the browser.
>
> Procedure is as follows:
> 1. invoke a browser
> 2. accesses ClientApp
> 3. start Authz code flow
> 4. on keycloak, login as AliceEin
> 5. tokens for user account "AliceEin" are issued to ClienApp
> 6. on the same browser, start Authz code flow again
> 7. on keycloak, login as AliceZwei
> 8. tokens for user account "AliceZwei" are issued to ClienApp
> 9. on the same browser, start Authz code flow again
> 10. on keycloak, login as AliceDrei
> 11. tokens for user account "AliceDrei" are issued to ClienApp
>
> The expectation is the following:
> ClientApp got all in-active access tokens for each user account
> "AliceEin", "AliceZwei", and "AliceDrei".
>
> The actual result is the following:
> at the procedure 7, keycloak returned the error page saying;
> You are already authenticated as different user AliceEin in this session.
> Please logout first.
> If logout, the access token granted by AliceEin is revoked.
> Considering some workaround, Alice close and restart the browser, or use
> another browser.
>
> I've recognized that keycloak inherently try to achieve Web SSO,
> therefore, the result above is reasonable.
> However, in our user case not requiring Web SSO, we would like to achieve
> the expectation above.
>
> From: Stian Thorgersen <mailto:sthorger at redhat.com>
> Sent: Friday, January 18, 2019 12:53 AM
> To: 乗松隆志 / NORIMATSU,TAKASHI <mailto:takashi.norimatsu.ws at hitachi.com>
> Cc: mailto:keycloak-dev at lists.jboss.org
> Subject: [!]Re: [keycloak-dev] Multiple user login on the same browser for
> Account Aggregation application
>
> Not sure I fully understand what you are after.
>
> Are you basically talking about what Google provides where you can login
> to multiple accounts at the same time from the browser with the ability to
> select accounts when logging into an application as well as ability to
> switch between logged-in accounts from within the application itself?
>
> In case you don't know how Google does it, I'll explain it here:
>
> * Login to Gmail first time
> * Gmail has an icon that displays your account details and sign out. This
> icon also provides an option to add additional accounts
> * Clicking add account redirects to login screen and you can now login
> using an additional account
> * When using a new application and you are logged-in from multiple
> accounts Google displays an account selector where you can select which of
> the logged-in accounts to use
>
> If this is what you are after and it's implemented as a complete feature
> we can consider it, but if it's something else we need to have further
> discussions and see if it is something Keycloak should support or if you
> should use a custom authentication flow to achieve it.
>
> On Wed, 16 Jan 2019 at 09:03, 乗松隆志 / NORIMATSU,TAKASHI <mailto:
> takashi.norimatsu.ws at hitachi.com> wrote:
> Hello,
>
> I've used keycloak for such the client application that collect a user's
> information via API provided by a resource server (e.g. collect balance
> from bank’s API).
>
> If the user has multiple accounts in the resource server, the client
> application must collect information on all these accounts. In order to do
> this, the client application let the user conduct an authentication and
> authorization flow for each account on the same browser consecutively.
>
>
> The current keycloak implementation cannot allow a user to login multiple
> accounts consecutively and simultaneously on the same browser. Therefore,
> the user must terminate and restart the browser every time she or he login
> on one of his or him accounts, which is not good for UX perspective. I’ve
> opened JIRA (
> https://clicktime.symantec.com/3Lvd7ed2QRdLsEq6ziXbHvg7Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-9332
> ).
>
> I have an idea to resolve it and contribute its realization hopefully.
> However, I'm not sure this idea is appropriate or not. So, I am happy to
> get some suggestions and advices on it.
>
> [Idea]
> The current (keycloak-4.8.2.Final) keycloak's implementation seems to be
> as follows:
> RootAuthenticationSessionModel class instance has several
> AuthenticationSessionModel class instances.
> Browser is bounded to RootAuthenticationSessionModel by AUTH_SESSION_ID
> Cookie and realm.
> AuthenticationSessionModel is bounded to Browser's tab by
> RootAuthenticationSessionModel, client id, and tab id.
>
> It seems that keycloak allows a user on the same browser to login on the
> same account for several clients per browser's tab, and it is good for Web
> SSO use case. However, it does not work good for Account Aggregation use
> case.
>
> My proposal is that suppressing (expiring explicitly) AUTH_SESSION_ID
> Cookie and its related Cookies on the client side (not the server side) at
> the end of an authentication and authorization flow make the browser new to
> logging-in onto keycloak every time. Also, adding a switch to change the
> operation mode from the ordinal Web SSO mode to the proposed one (like
> Securing API mode).
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-dev mailing list
> mailto:keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/3W4zNBtUkGecLAcJy5U61t97Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>


More information about the keycloak-dev mailing list