New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User session limit make account console crash and logout the user #17374
Comments
This looks like a valid issue, but not a blocker for Keycloak 22. Adding to backlog for now. I think that in UserSessionLimiter, we should make sure that during SSO authentication is session itself not included in the limited sessions. Maybe it is possible to already achieve something like this with some configuration of authentication flows (but not 100% sure.). |
Thanks @mposolda, good to know! Do you have any suggestions as workaround? We are trying to implement so hard the single session per realm feature in our system. |
@aletundo You can maybe try something like this configuration:
In other words, make sure that when "cookie" SSO authentication is successfully used, then session-limits authenticator won't be triggered (as it is present in the inner subflow rather than level 1 authentication). I am not 100% sure, but maybe this configuration can help you to achieve what you need. |
Thank you so much, it worked! I see no errors on refresh and the user is correctly logged out from the oldest session. IMHO, the issue should be kept in the back backlog. The workaround is in contrast with the current documentation (that suggest to wrap everything to have the limiter at the same level with the whole auth flow). |
@aletundo Thanks for the confirm! This might be just a documentation issue (and maybe also test issue), so I am adding it to 22 for now. We will try to fix it in Keycloak 22, but no promise... It can be postponed. |
Closes #17374 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
…loak#19372) Closes keycloak#17374 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Before reporting an issue
Area
authentication
Describe the bug
After setting the user session limits to 1 per realm and with terminate oldest session behavior, the account console crashes after a simple page refresh showing "failed to initialize keycloak" and logging out the user. In the server logs it emits the following warning message:
type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=account-console, userId=null, ipAddress=172.19.0.1, error=invalid_code, grant_type=authorization_code, code_id=4103ed42-c407-476e-ae58-9860645c7d74, client_auth_method=client-secret
If i bind again the browser flow to the built-in flow, it works.
Version
21.0.0
Expected behavior
The refresh doesn't cause any logout / crash.
Actual behavior
The user is logged out and the account console app crashes.
How to Reproduce?
Setup the user session limits by following the documentation. This means that:
To check if I misconfigured / wrapped the flows, I provide the JSON of the imported realm at: https://pastebin.com/uASeP5bz
Anything else?
I had the same bug also with version 20 and 19.
The text was updated successfully, but these errors were encountered: