I’m encountering a problem with Keycloak where a user who has been authenticated correctly is sometimes logged in as a different user within the same realm. This issue is extremely rare and has been observed in both OIDC and SAML, using the built-in browser flow. However, due to security concerns, I cannot provide any more specific details about the context or circumstances of this issue.
I’m wondering if anyone else has experienced a similar problem or has any suggestions about what might be causing this behavior. I’m looking for any insights or experiences that could help me troubleshoot and resolve this issue.
I understand that this issue is extremely rare and seemingly impossible to reproduce, but any help or guidance would be greatly appreciated.
i think you allowed un-unique email and login via email. and when the login method select the user with the “email” it will fetch the first user with that email.
Are these cases observed for completely random/unrelated users? It’s certainly possible that someone has an active login to your application and then potentially triggers a single sign-on from some external IDP, but on redirect they are simply already logged in, so it looks like the wrong user was authenticated.
It’s maybe a bit obvious, but caused some momentary alarm awhile back for somewho had multiple accounts with different email addresses.
Thank you for all your ideas. I’ve reconsidered and rechecked the configuration, but the “Duplicate emails” option is disabled in the realm, and there are no duplicate emails in the user database. Additionally, the two users experiencing the issue have no correlation between their usernames and emails, so I doubt the email login feature is the problem.
@somethingeng That was my initial guess when the issue first appeared, but it has since occurred in two separate, uncorrelated system environments. I’m starting to suspect the issue might be related to the client app implementation, though it was observed in two different clients — one using OIDC and the other SAML — which raises some doubts.
I appreciate any further feedback and will provide more details if anything else comes up. Thanks!