We came up with a workaround to mitigate this risk, as follows:
1. Generate a new custom session ID (custom_session_id) on login. A custom Authenticator can be created in Keycloak, which will generate this custom session ID for each login attempt.
2. This custom_session_id cookie will be created and returned on the authResponse method (step 7 of below sequence diagram).
3. The value of the custom_session_id cookie created in step 2 will be added as an Auth Session Note of the authentication session.
4. During the custom authentication (step 11 of below sequence diagram), the custom_session_id cookie value sent in the request will be validated against the custom_session_id value stored in the Auth Session Note.
5. If its value is the same as the one setup in step 2, then the flow continues successfully. Otherwise, an error will be returned.
Below is the sequence diagram proposed solution based on our authentication flow implementation: