Based on OIDC 1.0 specification:
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.
When I try to pass this parameter to the login URL, nothing happens and browser just gets redirected to the client app with a token of the previously logged in account.
So I tried
prompt=login and entered credentials of another user, but then I got the following error in the browser:
We are sorry…
You are already authenticated as different user ‘[first user email address]’ in this session. Please log out first.
As far as I can see in the Keycloak source code, the value of
select_account is accepted for the
prompt parameter, but it’s never used in the code.
So I was wondering if multiple account and being able to choose between them is supported by the Keycloak at all?
Keycloak 11.0.2 and compatible WildFly adapter on the client side.