Keycloack share same session between to client ID

Question

I'm not expert on this subject.

On Keycloak on the same realm we have defined two client ID.

My client ID are configured with OpenID connect and authorization code flow.

Like this a user can be authenticated with its credentials over these clients.

I have a problem. One of my user shares the same Keycloak session between these two differents client ID. In the fact, when user log on client A, he is logged out of client B. And same when he logs in client B, he is logged out of client A.

Why it's possible to share the same Keycloak session? And how to be sure to have two different Keycloak session.

UPDATE: I noticed, when the user logs in over client A or client B, he uses the same browser. If he logs in over client A, he doesn't need to enter its login/password over client B. The result is there is one Keycloak session. (If user uses different browser of each client, there is one keycloak session by client). Is it possible to force, one keycloak session by client ID?

Answer 1

What you are describing is a basic function in almost all AM software implementing OIDC, there is no such a thing as log in to clientA, the users always log in to the IDP, i.e. Keycloak.

Clients dont have sessions by default, keycloak does, and clients use keycloak session in thier OIDC flow. For example if you are already authenticated to keycloak, and you tried to do OIDC flow with ClientA or ClientB, you wont be prompted to enter username/password, keycloak will use the existing session.

So if you want to have different session for the same user, then you have to create your own session, for example if your clients are using apache, you can use apache oidc module to create a local session ( which will be your ClientA session), as for keycloak session, you cant have two sessions, but you can have one keycloak session for the two clients and two apache session for each clients.