Keycloak SSO Google Login Triggering Multiple Events for Different Clients

Introduction

In a production environment, a peculiar issue was observed where a user logging into one client application via Google SSO in Keycloak also triggered a login event for another client. This behavior was unexpected and could not be reproduced in a local development environment. This blog post explores possible causes, how to reproduce the scenario, root cause analysis, potential solutions, and additional resources for further reading.

Understanding the Issue

Observed Behavior

• A user attempts to log in to Client A via Google SSO.
• The login event is recorded for Client A as expected.
• However, another login event is also recorded for Client B, even though the user did not explicitly attempt to log into it.
• This issue does not occur consistently and is difficult to reproduce locally.

Possible Causes

1. SSO Session Sharing Across Clients

   • If both clients (A and B) are configured within the same realm in Keycloak and have SSO enabled, logging into one client might automatically establish a session for the other.
   • Read more

2. Misconfigured Authentication Flow

   • Certain configurations in Keycloak (e.g., implicit flow, forced re-authentication) could lead to multiple login events.
   • Keycloak Authentication Flows

3. Redirect URIs and Post-Login Flow Issues

   • If Client B has a similar redirect URI or shares authentication flow parameters with Client A, it may also receive an authentication response.
   • OAuth Redirect URI Best Practices

4. Cached or Persistent Sessions in the Browser

   • A previously established session in the browser might cause unintended login triggers.
   • Understanding Browser Caching

5. Automatic Session Propagation

   • If session propagation is not explicitly disabled, Keycloak may attempt to log the user into multiple clients within the same realm automatically.
   • Disable Automatic Session Propagation

6. Custom Login Implementation Issues

   • If a custom REST API is used for login, incorrect session handling might result in multiple login events.
   • Building Custom Authentication in Keycloak

Steps to Reproduce

Prerequisites

• Keycloak set up with two clients (Client A and Client B) within the same realm.
• Google SSO configured as an Identity Provider.
• Custom REST API for login via SSO.

Reproduction Steps

Step 1: Set Up Two Clients in Keycloak

• Configure Client A and Client B to use Keycloak for authentication.
• Ensure both clients are in the same realm.
• Enable Standard Flow and Direct Access Grants in the client settings.

Step 2: Enable SSO for Both Clients

• In Keycloak, navigate to Realm Settings → Login and enable SSO session sharing.
• Set SSO Session Max Age to a high value to allow multiple logins within the same session.

Step 3: Implement Custom Login via REST API

• Create a custom API that calls Keycloak’s token endpoint using the authorization code from Google SSO.
• Ensure that both Client A and Client B share the same authentication flow.
• Execute the API call for Client A.

Step 4: Simulate Concurrent Login Requests

• Use a script or Postman to send multiple login requests to the custom API for different clients.
• Ensure that the user session is already established for Client A.

Step 5: Check Keycloak Events

• In Keycloak Admin Console, go to Events → Login Events.
• Verify if an additional login event appears for Client B.

Root Cause Analysis (RCA)

1. SSO Session Reuse Across Clients

   • Keycloak maintains a centralized session for a user across all clients in the same realm.
   • If a user logs into one client, Keycloak may automatically propagate the session to another client.
   • Keycloak Session Management

2. Misconfigured Redirect URIs and Authentication Flows

   • If both clients use similar redirect URIs, Keycloak might process the login request for both.
   • OAuth Redirect URI Considerations

3. Custom REST API Handling Issues

   • If the custom login implementation does not properly distinguish between clients, multiple login events may be recorded.
   • Implementing Secure OAuth Flows

Possible Solutions

1. Disable Automatic Session Propagation

• Navigate to Realm Settings → SSO Session Max Age.
• Adjust session parameters to restrict automatic logins.
• Disable Full Scope Allowed for each client in Client Settings → Scope.
• Set SameSite=None; Secure for authentication cookies to prevent unintended cross-client logins.
• More on Keycloak Session Management

2. Validate Redirect URIs

• Ensure each client has unique and correctly configured redirect URIs to prevent unintended authentication responses.
• Navigate to Client Settings → Valid Redirect URIs.
• Best Practices for Redirect URIs

3. Use Client-Specific Authentication Flows

• In Authentication → Flows, customize authentication flows per client to ensure separation.
• Disable auto-linking of user sessions across multiple clients.
• Understanding Authentication Flows in Keycloak

4. Check Google SSO Provider Configuration

• Ensure that Google SSO is not configured to redirect users to multiple clients inadvertently.
• Validate that the post-login redirect URL in Google’s OAuth settings is pointing to the intended client only.
• Configuring Google OAuth

5. Modify Custom REST API Login Implementation

• Ensure that each login request is specific to a single client by validating client_id.
• Modify session handling to prevent unintended reuse across clients.
• Implement token validation before issuing new access tokens.
• Keycloak REST API Guide

Conclusion

This issue likely arises due to session sharing, misconfigured authentication flows, or incorrect redirect URIs. By isolating login sessions per client and fine-tuning Keycloak settings, unintended login events can be prevented. If you’re facing this in production, analyze login events in Keycloak to trace the issue further and apply the solutions outlined above.

---

Let me know if you've encountered similar issues or found alternative solutions!