Login to overwrite existing session
430 views
Skip to first unread message
Peter Flintholm
Oct 24, 2022, 8:14:05 AM10/24/22
to Keycloak User
Hi,
I have trouble getting Keycloak to "forget" an existing authentication session.
I am trying to achive the following workflow on a mobile app:
1. User A logs in
2. Shortly thereafter, user B logs in on the same device (without A calling Keycloak to logout).
This will trigger an error "You are already authenticated as different user A...."
The workaround is to simply remove Keycloaks session cookies in a proxy in front of Keycloak, but this is of course a bit of a hack.
I have also tried to avoid this error with rather disastrous consequences by implementing an authenticator to remove existing auth session. The authenticator does the following
AuthenticationSessionModel authSession = context.getAuthenticationSession();
UserSessionModel userSession = session.sessions().getUserSession(context.getRealm(), authSession.getParentSession().getId());
if (userSession != null) {
session.sessions().removeUserSession(context.getRealm(), userSession);
}
UserSessionModel userSession = session.sessions().getUserSession(context.getRealm(), authSession.getParentSession().getId());
if (userSession != null) {
session.sessions().removeUserSession(context.getRealm(), userSession);
}
This has the very unfortunate consequence, that user B will actually get user A's session. The authenticated user will be user B, but the "sid" will be the same as when user A authenticated. This means that calling the token endpoint using B's refresh token will return an access token for user A.
Do anyone have a recommendation on how to achieve the desired functionality ?
Kind regards,
Peter
Reply all
Reply to author
Forward
0 new messages