[keycloak-dev] "You are already logged-in" issue

Stian Thorgersen sthorger at redhat.com
Thu Jun 13 12:17:21 EDT 2019 

Discussed this with Marek a bit and may have a potential solution here.

My suggestion is the following:

1. Add a timestamp to a cookie - this timestamp is updated whenever the
user makes any action in the authentication session. Basically submitting
any form.
2. Add a piece of JS that reads the value of this cookie. If the value
changes it will refresh the page. This will hand over the logic of what to
do now to the Keycloak server. If username/password was submitted on one
tab, the second tab should automatically update and show the next step (or
if complete redirect to the client with successful login)
3. Change the client_id param to a more generic state param. This should be
a base64 encoded value with the info that we need in case root
authentication session is lost (base64(c=<client-id>&r=(redirect-uri). With
having a single param base64 encoded we can more easily add additional info
if we need without having to add more query parameters.
4. Root authentication session should not be deleted straight away if there
are more child authentication sessions, but rather it should be garbage
collected after X mins of inactivity.
5. If root authentication session is garbage collected we should redirect
to the client with login error, rather than display error page, with some
error message stating failed due to inactivity. The client can then handle
it accordingly.

On Thu, 13 Jun 2019 at 14:53, Vlasta Ramik <vramik at redhat.com> wrote:

> Hi,
>
> I'm working on https://issues.jboss.org/browse/KEYCLOAK-5179 See if
> message "You are already logged-in" can be avoided during authentication.
>
> In current state we discard the RootAuthenticationSession when user
> successfully finishes the authentication. In that moment we loose all
> the information stored in AuthenticationSession(s) for other tab(s) and
> in some cases we do not know where to redirect the user. To solve this
> issue there seems to be 2 possibilities.
>
> 1. Do not remove RootAuthenticationSession once the user finishes the
> authentication. Instead we can remove just AuthenticationSession
> associated with the specific tab from the RootAuthenticationSession and
> the RootAuthenticationSession would be deleted together with last
> AuthenticationSession from it.
>
> 2. Add and pass redirect_uri parameter to login flow. With the parameter
> we'd always have an information where it should be redirected in case
> the authentication was successfully finished in other tab.
>
> With solution #1 it'd increase the memory as it keeps
> RootAuthenticationSession alive till all tabs are alive.
>
> Solution #2 keeps current behavior regarding the authentication sessions
> but it slightly increases the length of uris.
>
> wdyt?
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list