[keycloak-user] Conflicting logins with admin console

Kyle Swensson kyle.swensson at tasktop.com
Mon Jun 19 16:25:12 EDT 2017


Hi Marek,

Fortunately, installing the master keycloak build did actually solve the
problem, so thank you for that suggestion! When we log into the master
realm admin console while logged into the user application, and then
refresh the page on the user application, we get a page saying "Unexpected
error when handling authentication request to identity provider", which is
what we want to happen. Unfortunately, there is now a new problem, because
once we get to this error page we continue to get this error page no matter
what when attempting to access the user application until we delete all of
our cookies, even closing the browser window doesn't help. When this
happens it will also sometimes attempt to kick us out of the keycloak
master realm admin console, but it doesn't do it consistently. I have
attached a picture of the error page I am seeing. Do you know if there is
any way that we could make this error page stop showing up once the user
who logged into the keycloak master realm admin console logs out?

Thanks,
Kyle

On Fri, Jun 16, 2017 at 1:58 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 15/06/17 19:29, Kyle Swensson wrote:
>
> Hi,
>
> We have set up a user client on a seperate realm that is not master that
> all users for that realm can access, which is where we have our user
> application and we have also set up an additional client for a user
> administration console on that (non-master) realm. However, the problem
> occurs when we log into the user client on the non-master realm at the same
> time as we log into the default admin console on the master realm, so our
> problem involes 2 seperate realms.
>
> The latest Keycloak master is Keycloak 3.10.Final right? I have tried
> upgrading to that, and the issue was still occurring.
>
> Latest Keycloak master is here: https://github.com/keycloak/keycloak
>
> You would need to checkout it, build manually SNAPSHOT and then test. Some
> notes are here: https://github.com/keycloak/ke
> ycloak/blob/master/misc/HackingOnKeycloak.md
>
> There are some changes in latest master, which might be related, but TBH I
> didn't ever see the behaviour you described, so hard to predict if it helps
> or not.
>
> Marek
>
>
> Thanks,
> Kyle
>
> On Thu, Jun 15, 2017 at 12:10 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Hi,
>>
>> I guess you're using same realm 'master' for both your application and
>> admin console. Can you try to use different realm for your application and
>> see if it helps? Also can you try to upgrade to latest Keycloak master and
>> see if it helps?
>>
>> Marek
>>
>>
>> On 14/06/17 01:56, Kyle Swensson wrote:
>>
>>> Hello,
>>>
>>>
>>> (I have asked this question before to no avail, but the wording was poor
>>> so
>>> I want to rephrase it in hopes of getting more help)
>>>
>>> I am having an issue with conflicting logins from a user application and
>>> the keycloak admin console
>>>
>>> The issue arises when I authenticate on my user application as a basic
>>> user, using Tomcat. Then, I navigate to the Keycloak Admin Console login
>>> page on a different window. Despite being logged in as a basic user on my
>>> user application, I am still shown the empty login page for the keycloak
>>> admin console. After navigating to the Keycloak admin console login page,
>>> my session on my user application becomes broken, and I'm not sure why.
>>> At
>>> this point if I refresh the page containing my application I will find a
>>> 403 error in my console, however I can still access everything in my user
>>> application normally. Additionally, for some reason I can no longer log
>>> out
>>> from my session like i normally would (by hitting the authorization
>>> endpoint), when I try to log out nothing happens. The only way that I can
>>> get it out of this permanently logged in state is by going to "account"
>>> and
>>> manually ending all of the sessions for my user. It may be worth noting
>>> that I can also still log in to the admin console with a different user,
>>> and use the admin console as normal while this is happening. If I log
>>> onto
>>> the admin console while this is happening and look at all of the active
>>> sessions, I can see that there is indeed still an active session for the
>>> basic user using the user application. I assume that is the root of the
>>> problem, but I'm not sure what's causing this to happen.
>>>
>>> Setting the "Revoke Refresh Token" option in the keycloak admin console
>>> to
>>> ON does prevent this from happening, however it also makes the rest of my
>>> application become very buggy and slow so leaving that on isn't really a
>>> viable option.
>>>
>>> I'm wondering if this might be an actual bug with Keycloak, or if this is
>>> just being caused by some configuration error on my side. I am currently
>>> using Keycloak 2.3 for my application, but I have tried temporarily
>>> upgrading to Keycloak 3.1 and that didn't help the issue.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
> --
>
>
>
>


--


More information about the keycloak-user mailing list