[keycloak-user] Two browser tabs result in two access-/refresh tokens and accidental logout

Anders KK anders.kabell.kristensen at systematic.com
Wed Oct 4 08:47:52 EDT 2017


Hi guys,

We run into an accidental logout when opening our application in a second
tab in the browser. It seems that the second tab acquires its own
access-/refresh token pair, however, the tabs share the session.
Consequently, when the first tab needs to refresh its token, the refresh
token is no longer valid, resulting in the first tab initiating a logout -
and then the second tab only lives until token expiration, since refresh
fails due to the first tab having ended the session.

Looking into the js adapter code we got the impression that the tabs would
share tokens through local storage - is this something we need to activate
explicitly in the configuration?

We have a setup with an Angular2 app making use of the Keycloak js adapter.
We made use of the example provided with the 3.0.0 quickstarts, but modified
the parameters for the init function:



Thanks for the great effort put into Keycloak!

Anders




--
Sent from: http://keycloak-user.88327.x6.nabble.com/


More information about the keycloak-user mailing list