User session limit make account console crash and logout the user

[aletundo]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

authentication

Describe the bug

After setting the user session limits to 1 per realm and with terminate oldest session behavior, the account console crashes after a simple page refresh showing "failed to initialize keycloak" and logging out the user. In the server logs it emits the following warning message:

type=CODE_TO_TOKEN_ERROR, realmId=myrealm, clientId=account-console, userId=null, ipAddress=172.19.0.1, error=invalid_code, grant_type=authorization_code, code_id=4103ed42-c407-476e-ae58-9860645c7d74, client_auth_method=client-secret

If i bind again the browser flow to the built-in flow, it works.

Version

21.0.0

Expected behavior

The refresh doesn't cause any logout / crash.

Actual behavior

The user is logged out and the account console app crashes.

How to Reproduce?

Setup the user session limits by following the documentation. This means that:

• The limiter has to be configured with all the required flows
• Alternative steps/subflows must be wrapped into subflows to avoid ALTERNATIVE - REQUIRED at the same level

To check if I misconfigured / wrapped the flows, I provide the JSON of the imported realm at: https://pastebin.com/uASeP5bz

Anything else?

I had the same bug also with version 20 and 19.

[mposolda]

This looks like a valid issue, but not a blocker for Keycloak 22. Adding to backlog for now.

I think that in UserSessionLimiter, we should make sure that during SSO authentication is session itself not included in the limited sessions. Maybe it is possible to already achieve something like this with some configuration of authentication flows (but not 100% sure.).

[aletundo]

Thanks @mposolda, good to know! Do you have any suggestions as workaround? We are trying to implement so hard the single session per realm feature in our system.

[mposolda]

@aletundo You can maybe try something like this configuration:

- Cookie ALTERNATIVE
- real-authentication-subflow ALTERNATIVE
-- inner-subflow-level2 
--- Identity Provider Authenticator ALTERNATIVE
--- Copy-of-forms-subflow ALTERNATIVE
---- (other authenticators here in the subflow of "forms" like username-password, 2factor etc. Exactly same like default flow)
-- User Session Limiter  REQUIRED

In other words, make sure that when "cookie" SSO authentication is successfully used, then session-limits authenticator won't be triggered (as it is present in the inner subflow rather than level 1 authentication).

I am not 100% sure, but maybe this configuration can help you to achieve what you need.

[aletundo]

@aletundo You can maybe try something like this configuration:

- Cookie ALTERNATIVE
- real-authentication-subflow ALTERNATIVE
-- inner-subflow-level2 
--- Identity Provider Authenticator ALTERNATIVE
--- Copy-of-forms-subflow ALTERNATIVE
---- (other authenticators here in the subflow of "forms" like username-password, 2factor etc. Exactly same like default flow)
-- User Session Limiter  REQUIRED

In other words, make sure that when "cookie" SSO authentication is successfully used, then session-limits authenticator won't be triggered (as it is present in the inner subflow rather than level 1 authentication).

I am not 100% sure, but maybe this configuration can help you to achieve what you need.

Thank you so much, it worked! I see no errors on refresh and the user is correctly logged out from the oldest session. IMHO, the issue should be kept in the back backlog. The workaround is in contrast with the current documentation (that suggest to wrap everything to have the limiter at the same level with the whole auth flow).

[mposolda]

@aletundo Thanks for the confirm! This might be just a documentation issue (and maybe also test issue), so I am adding it to 22 for now. We will try to fix it in Keycloak 22, but no promise... It can be postponed.