I am new to keycloak. When I log in my application and close the browser. I can still see my user session is active when I did not enable 'remember me'. Is this expected? From my understanding, the keycloak should remove the session when the user closes the browser except remember me is checked. Any idea is appreciated!
Keycloak gives you fine grain control of session, cookie, and token timeouts, you can find more details in the documentation
https://www.keycloak.org/docs/latest/server_admin/index.html#_timeouts
Related
We have a Keycloak 18.0.2 with realms integrated to external IdP (Okta / Ping / Azure). In one realm we started seeing lots of IDENTITY_PROVIDER_LOGIN_ERROR / cookie_not_found in login events. And had users reporting that they were only able to login if they cleared their browser’s cache and cookies.
We found some ways to reproduce this behaviour in dev environment:
Multiple browser tabs:
At the browser, tab 1, user opens application menu-navigator and is redirected to the External SSO login page (after Keycloak auth flow redirection). We see this login page being initialized with cookie KC_RESTART (auth endpoint).
At the same browser, tab 2, user opens application dashboard-frontend and follows a similar flow as previous app.
Both websites are written in Vue.JS and are using oidc-client-ts library. When initialized, OIDC lib loads the realm metadata, creates a user storage, and executes signin flow. After user is authenticated and has an active session KC_RESTART cookie is expired.
As a result, when user back to tab 1 which is opened at step and try to login, user encounters an error since system cannot find authentication session and then try to use KC_RESTART cookie to reset authentication session however the cookie is even not there since it is expired at step c.
Then user is redirected to Keycloak and sees the Cookie not found message.
Stale sessions:
User opens the application (menu-nav or dashboard), sign in, do some operations, and close the tab.
Users opens the application again in a moment between Session Idle and Session Max timeouts.
User is redirected to Keycloak and sees the Cookie not found message.
We’ve seen the message in other situations, but we couldn’t consistently reproduce.
While we were debugging this problem, we saw a Keycloak redirection to applications call-back endpoint with erro=login_required. So, we decided to handle this and other possible errors trying to make the client app do a silent signin or do a signin redirect if signin silent fails.
This seems to be effective to that error and now we see some IDENTITY_PROVIDER_LOGIN_ERROR / expired_code which we believe it’s OK and associated with the session max timeout and makes user go to the SSO login screen.
Any thoughts about this?
It is possible to invalidate the Keycloak SSO session when a user closes their browser/tab?
According to the docs I should be able to do this by setting the SSO Session Idle and the SSO Session Max to 0.
When setting it to 0 though, I cannot save the settings. What am I misunderstanding here? And is it achievable to log the user out when she closes her browser/tab?
Keycloak cannot terminate the server-side session on browser close, since it does not know that the browser has closed. But since your SSO cookie is a session cookie, your browser will remove the cookie on browser close. Without that cookie you will have to relogin when hooking up your browser again.
Just make sure you did not enable the "Remember Me" feature at Realm settings -> Login.
However, there is no support for this when closing a tab, as far as I know.
I am following the Task Tracker tutorial and I am not able to persist the login session. I am able to register and login, however, everytime I close the app and open it again, it redirects me to the login screen.
https://docs.mongodb.com/realm/tutorial/react-native/
In addition, I use AuthProvider to read user, I get “null”.
Anyone have any ideas? Do I have to write custom logic to persist login information / session tokens?
Thanks
I have this GWT application which login/logout to a server.
The server side is ok as it can login/logout a connection.
However I need that when the application login in with a browser, the application will stay logged in for each new instance of the application.
Use cookies on the browser to store login details. When a new tab is opened, and requests the page from the server, the cookies will be passed along automatically and you can log the user in from there.
Make sure you understand the security implications of storing login details in cookies before deploying this strategy!
You could store the information if a user has been successfully authenticated in the http session on the server side and provide a service like
public boolean isAuthenticated();
which checks that property.
Before showing any sensitive information in the client, call that service to make sure, the current user is authenticated. I would recommend not to store login credentials in a cookie.
just to recap the process:
I call https//graph.facebook.com/oauth/authorize?client_id=.. to get a code.
This redirects the user to the facebook login page. They login. A FB session is created in their browser.
The browser redirects to http//www.mysite.com/connect/callback?code=..
I take that code and exchange it for a token: https//graph.facebook.com/oauth/access … ent_id=...
I use that token to call the Graph and REST APIs, doing stuff on the users behalf like querying on me.
To clarify, I know the token works as I can request information on /me.
My problem is that when I access facebook.com in another tab, I get told that I need to log in and it kicks me out.
I've added in functionality to curl to save cookies and I get:
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
.facebook.com TRUE / FALSE 1134567810 datr 1121456789-111cabef6e8b649338941b9ab289739a38803ec932211a0bec3ee8
Is this correct? Is there anything more that should be there?
Should I be able to authenticate to FB with my external site and then access FB without getting kicked out?
Thanks for any help, I will appreciate it.
Ignore this, as I was always using 1 tab for the facebook page and refreshing it. Apparently theres something in the links of facebook that carry session data. Once I started closing the link when I logged out of facebook and then opening either a new window or tab and then logging into facebook, its fine.