Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3484

Login to Account Console produces two consecutive LOGIN events [GHI#40463]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      account/ui

      Describe the bug

      When an unauthenticated user logins in to the account console Keycloak will generate two separate consecutive LOGIN events.

      Version

      26.2.5

      Regression

      [x] The issue is a regression

      Expected behavior

      Keycloak should only generate one LOGIN event when an unauthenticated user performs a login for the account-console client.

      Actual behavior

      Keycloak generates two LOGIN events when an unauthenticated user performs a login for the account-console client.

      How to Reproduce?

      0) Enable event storage
      1) Login to account-console
      2) Observe two LOGIN events created for the account-console.

      Anything else?

      Keycloak Versions before v26.1.0 only one LOGIN event was produces for the account-console.

      This was caused by my change in this PR: https://github.com/keycloak/keycloak/pull/32686
      This only affects the account-console, other clients produce only one LOGIN event.

      The Problem is that if we detect an unauthenticated user accessing the /account endpoint, we redirect the user to a generated authorize URL to spare the bootstrappung of the "heavy" react JS app which would then redirect the user.
      The user now sees the login page and can authenticate. After successful authentication the user is sent back to the account console. This produces the first LOGIN event.
      This time, we can detect the existing user session and this start to bootstrap the react JS app. The react JS app then performs the "real" auth code flow in the context of the already authenticated user session, which is then immediately redirected back to the account-console. This produces the second LOGIN event.

      The following shows an example event sequence for different OIDC client:
      Image 1:
      <img width="1168" alt="Image" src="https://github.com/user-attachments/assets/ecbd383b-e019-420d-820e-5740f84516cc" />
      .. and here is an event sequence for the account-console:
      Image 2:
      <img width="1134" alt="Image" src="https://github.com/user-attachments/assets/382007ea-cf2d-4b55-8d9f-f292dea88b73" />

      This leads to double counting of LOGIN events if users login to the account-console client.

      I see the following options:
      1) somehow suppress the second "Event 2" shown in Image 2 for the account-console client
      2) handle the code-flow / token-management for the account-console on the account backend
      3) add additional event_details metadata about the LOGIN TYPE (e.g. interactive, session)

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: