Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5938

Support authenticationSession for login same client in multiple browser tabs

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 3.4.2.Final
    • None
    • None
    • NEW
    • ASSIGNED

    Description

      The KEYCLOAK-5797 adds support of authenticationSession for multiple browser tabs with multiple different clients. However there can be still an issue if there are multiple browser tabs and all use same client. For example this scenario with 2 tabs using admin console:

      1) Open http://localhost:8081/auth/admin in browser tab1 and login as admin
      2) Open http://localhost:8081/auth/admin in browser tab2 and login as admin
      3) Click to tab "Tokens" in tab2. URL here is like "http://localhost:8081/auth/admin/master/console/#/realms/master/token-settings"
      4) Click "Sign out" in tab2
      5) Wait few seconds until tab1 is logged-out too (due the session iframe)
      6) Login as admin/admin in tab2
      7) I am on "General" tab with URL http://localhost:8081/auth/admin/master/console/#/realms/master but should be on the "Token settings" tab -> KO
      8) Go back to tab1 and click browser refresh. I have admin console with "Page not found" opened now and the state+code in the URL like: http://localhost:8081/auth/admin/master/console/#/state=d2de486b-908e-422c-abb3-4e6bfce84362&code=eyJ.... -> KO .
      9) After manually reopening the URL http://localhost:8081/auth/admin, the login is OK (as new authenticationSession was created.

      The reason of the issue is, that in step 4, the authenticationSession was created on the Keycloak server for the "security-admin-console" client. But in step 5, that session data was overwritten. So in step 7, the tab2 used the OIDC parameters from tab 1 and exchanged the "state" in the javascript adapter, which was for tab1. In step 8, the javascript adapter doesn't have the "state" available in browser localStorage due the state was already exchanged in step 7.

      Attachments

        Issue Links

          Activity

            People

              mposolda@redhat.com Marek Posolda
              mposolda@redhat.com Marek Posolda
              Mark True Mark True (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: