-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stepup issue on "remember_me" authentication : alreadyLoggedIn #17539
Comments
In KC 20, a new fallback has been added , can this be the cause ? |
In my investigation, I thought of two first proposals : |
Thanks for this report. I am also interested by an answer around this issue. |
Adding to Keycloak 22 as this looks like a regression and worth investigation. |
Before reporting an issue
Area
authentication
Describe the bug
We made a jump in version from KC 17 to KC 20.
Since then we noticed an increasing number of users complaining the apparition of the alreadyLoggedIn message.
The bug appears with a "remember me" session, and when after the user restarts its browser (deleting session cookie as AUTH_SESSION_ID but keeping the KEYCLOAK_IDENTITY one since it's a persistent cookie due to "remember_me").
If the authentication flow contains an authenticator that trigger a form, then the submit of this form results in the display of on a "alreadylogin" message.
This can be shown on a with standard stepup flow at the OTP step (https://www.keycloak.org/docs/latest/server_admin/#_step-up-flow)
Version
20.0.3
Expected behavior
On a "remember me" session,
When the browser is closed and reopened (cleaning session cookies but keeping persistent cookies)
And the user triggers an authentication flow needing a user interaction (like in stepup flow)
Then the authentication flows is not blocked by an "alreadyLoggedIn" error message
Actual behavior
On a "remember me" session,
When the browser is closed and reopened (cleaning session cookies but keeping persistent cookies)
And the user triggers an authentication flow needing a user interaction (like in stepup flow)
Then an alreadyLoggedIn error message is displayed
How to Reproduce?
The bug appears when the authentication flow contains an authenticator that needs a user interaction (a form to be submited)
Prerequisite :
the STEPUP flow is enabled (see )
1 - the user authenticates itself with the "remember me" feature
2 - the user close all instances of his browser
3 - the user opens his browser
4 - the user triggers a stepup auth (via the request parameter acr_values=2 in the oidc authentication request for instance)
5 - The OTP is then required
6 - When the user submit the form the OTP the error message is displayed
Anything else?
No response
The text was updated successfully, but these errors were encountered: