When working in multiple browser tabs, with a system that supports SSO, users expect that there really is a "single sign-on session". The current Keycloak implementation has a limitation in that logging in twice will replace the previous SSO session - thus invalidating all existing tokens. The other tabs would then seemingly be "logged out".
The thing is, that it's possible (and sometimes likely) to have multiple browser tabs showing the login screen for the same realm. This could for example happen after working with different systems in different tabs, and then timing out the whole SSO session.
It'd be natural for a user to assume that although he/she enters credentials one more time, everything would be merged into the same SSO session, keeping the illusion of "single sign-on". Maybe there's some security concern regarding this, but Google and others seem to work this way.
One suggestion for improving this issue is according to Stian Thorgersen: "To create a separate login session that is used during authentication. This would be backed by a cookie that would make sure the current flow would be shared cross multiple tabs."
See mailing list: http://lists.jboss.org/pipermail/keycloak-user/2016-December/008720.html