Stepup issue on "remember_me" authentication : alreadyLoggedIn

[etchepar]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

authentication

Describe the bug

We made a jump in version from KC 17 to KC 20.
Since then we noticed an increasing number of users complaining the apparition of the alreadyLoggedIn message.

The bug appears with a "remember me" session, and when after the user restarts its browser (deleting session cookie as AUTH_SESSION_ID but keeping the KEYCLOAK_IDENTITY one since it's a persistent cookie due to "remember_me").
If the authentication flow contains an authenticator that trigger a form, then the submit of this form results in the display of on a "alreadylogin" message.

This can be shown on a with standard stepup flow at the OTP step (https://www.keycloak.org/docs/latest/server_admin/#_step-up-flow)

Version

20.0.3

Expected behavior

On a "remember me" session,
When the browser is closed and reopened (cleaning session cookies but keeping persistent cookies)
And the user triggers an authentication flow needing a user interaction (like in stepup flow)

Then the authentication flows is not blocked by an "alreadyLoggedIn" error message

Actual behavior

On a "remember me" session,
When the browser is closed and reopened (cleaning session cookies but keeping persistent cookies)
And the user triggers an authentication flow needing a user interaction (like in stepup flow)

Then an alreadyLoggedIn error message is displayed

How to Reproduce?

The bug appears when the authentication flow contains an authenticator that needs a user interaction (a form to be submited)

Prerequisite :
the STEPUP flow is enabled (see )

1 - the user authenticates itself with the "remember me" feature
2 - the user close all instances of his browser
3 - the user opens his browser
4 - the user triggers a stepup auth (via the request parameter acr_values=2 in the oidc authentication request for instance)
5 - The OTP is then required
6 - When the user submit the form the OTP the error message is displayed

Anything else?

No response

[etchepar]

In KC 20, a new fallback has been added , can this be the cause ?
https://github.com/keycloak/keycloak/pull/15982/files#diff-b5c4eba2b4be7e9afb7e05ca37958538b7ea2b9bc4685e2c174d20cf64382f5bR187

[etchepar]

In my investigation, I thought of two first proposals :
1 - recreate the missing auth session id cookie (ot only when an old cookie needs to be reencoded (see PR #17662)
2 - change the behaviour of the initialVerifyAuthSession method of the SessionCodeChecks class

[remigauthierdocaposte]

Thanks for this report. I am also interested by an answer around this issue.

[mposolda]

Adding to Keycloak 22 as this looks like a regression and worth investigation.