When the GUI is left idle for long, the page automatically redirects to Login screen. Entering the credentials in this Login page throws error "Your login attempt timed out. Login will start from the beginning.".
The user has to reload the page and then enter the credentials to successfully login to GUI.
Could you please suggest which keycloak configuration do I need to allow user login again
To avoid this, one can change "Realm Settings → Tokens → Login timeout" to e.g. 10000 days which is 27 years, which should ensure this never happens in reality.
I've asked a new question about what the purpose of this login is, but the above is how to disable it.
Related
We have a Keycloak 18.0.2 with realms integrated to external IdP (Okta / Ping / Azure). In one realm we started seeing lots of IDENTITY_PROVIDER_LOGIN_ERROR / cookie_not_found in login events. And had users reporting that they were only able to login if they cleared their browser’s cache and cookies.
We found some ways to reproduce this behaviour in dev environment:
Multiple browser tabs:
At the browser, tab 1, user opens application menu-navigator and is redirected to the External SSO login page (after Keycloak auth flow redirection). We see this login page being initialized with cookie KC_RESTART (auth endpoint).
At the same browser, tab 2, user opens application dashboard-frontend and follows a similar flow as previous app.
Both websites are written in Vue.JS and are using oidc-client-ts library. When initialized, OIDC lib loads the realm metadata, creates a user storage, and executes signin flow. After user is authenticated and has an active session KC_RESTART cookie is expired.
As a result, when user back to tab 1 which is opened at step and try to login, user encounters an error since system cannot find authentication session and then try to use KC_RESTART cookie to reset authentication session however the cookie is even not there since it is expired at step c.
Then user is redirected to Keycloak and sees the Cookie not found message.
Stale sessions:
User opens the application (menu-nav or dashboard), sign in, do some operations, and close the tab.
Users opens the application again in a moment between Session Idle and Session Max timeouts.
User is redirected to Keycloak and sees the Cookie not found message.
We’ve seen the message in other situations, but we couldn’t consistently reproduce.
While we were debugging this problem, we saw a Keycloak redirection to applications call-back endpoint with erro=login_required. So, we decided to handle this and other possible errors trying to make the client app do a silent signin or do a signin redirect if signin silent fails.
This seems to be effective to that error and now we see some IDENTITY_PROVIDER_LOGIN_ERROR / expired_code which we believe it’s OK and associated with the session max timeout and makes user go to the SSO login screen.
Any thoughts about this?
I have developed an SAML application which only uses Microsoft as IDP for successful login and logout of specific users. So after logout, I want Microsoft to redirect me to the website I have configured in the Logout URL of MyApplication in Azure Active Directory. The log-in functionality works everytime but when I logout in presence of only one Microsoft Signed-In account, it logouts perfectly and redirects me to the website I specified. I am facing the issue when I am asked to choose account to logout from a set of accounts (refer Image) of which when I select the configured account, it log me out perfectly but is unable to redirect me to my specified page. The page gets stuck on "You signed out of your account It's a good idea to close all browser windows." (refer Image). Thus I want to be redirected to the specified page when I am asked to select an account while logging out.
Logout Issue Redirect Image reference
Logout Issue Redirect Image reference
This is a known bug in this library.
Here are some alternatives.
You can use silent logout.
The post logout redirect isn't expected after calling logout. This could be a timing issue.
You can achieve a 'clean' logout by opening a new window and calling logout from there. Then a user is left with an extra open window; but at least they've retained a view of the app and it hasn't lost state.
I am getting Page has expired page on trying to do multiple clicks on Forgot Password after adding username.
Flow is as follows:
- On clicking "Forgot Password?" from Login screen.
- It redirects to "Forgot Your Password?" screen, where it accepts username and
allow us to submit the form.
- Shows "Page has expired" screen with two options:-
To restart the login process Click here.
To continue the login process Click here.
There are 2 issues:
1. Not sure why its taking user to Page has expired page.
2. The redirected page has CSS issues. Refer attached screenshot.
Is there anything wrong with my Keycloak configuration? I am using 6.0.1 version of keycloak
Advice: Use always new version of keycloak (currently 10.x)
I guess it is related with token nature (expired). As I see your reset-password template is broken. There are some crucial variables and conditions in this template.
I am new to keycloak. When I log in my application and close the browser. I can still see my user session is active when I did not enable 'remember me'. Is this expected? From my understanding, the keycloak should remove the session when the user closes the browser except remember me is checked. Any idea is appreciated!
Keycloak gives you fine grain control of session, cookie, and token timeouts, you can find more details in the documentation
https://www.keycloak.org/docs/latest/server_admin/index.html#_timeouts
-->User opens Service Provider URL and the WSO2 login screen is presented for entering credentials
-->User does add a browser bookmark from the current page to be able to access it in the future
-->Bookmark works fine for a period of time, then it stops working properly, the following error is displayed after entering the credentials
The reason for the error is that the WSO2 login page has some parameters in the URL that expire after a period of time, specifically sessionDataKey which is identifier for particular Service Provider.
Can someone help resolving this issue.
This was a known issue and seems to be fixed in next release.
https://wso2.org/jira/browse/IDENTITY-5199
As a workaround, users can bookmark the landing page after the login. Then, if there is no valid session, they will be redirected to the login page.