Account switching in KC

I don’t know if this is posible with KC.
I want to achieve account switching with keycloak (one navigator, many sessions open)

For example:

Flow 1:

1. Access to webapp (user not logged)

2. Redirect to KC login page and let the user decide to

   1. Login (if no user was previously logged in with kc)

   OR:

   1. If only a user is logged in return to the webapp (this is the default behavior)

   OR:

   1. Select a logged in user (if there is more than 1 session open with this navigator)
   2. Open another account

3. Webapp receives callback with the auth-grant for the user selected in KC login page.

Flow 2:

1. An user is logged in into webapp, and selects the option: change user
2. Redirect to KC login page:
   1. select another session previously open with this navigator
   2. open a new session

I’m trying to configure to work like account switching to gmail

Hey @indiketa did you ever manage to achive this flow?

We’re looking to achive the same and have discovered that Keycloak doesn’t natively support a user changing identity when you have an active session.

I would also appreciate any stories about this topic, whether successful or unsuccessful, just to get a better idea of whether this can be done at all or with reasonable effort.

The idea to bear in mind is that when you have an existing cookie in the IdP, the default mechanism is to provide Single Sign-On (SSO), and therefore, there is no user interaction.

If you want to force the login - regardless of whether a valid session exists at the IdP - you can use the OIDC parameter prompt=login [1].
There is also prompt=select_account, which might fit your use case, but I haven’t seen any IdP supporting it (except Google).

[1] Final: OpenID Connect Core 1.0 incorporating errata set 2