Getting logged out when using two keycloak instances in same browser

I created a thread earlier where I asked how to start two instances of keycloak using containerns and not have them clustered.

I took the advice from dasniko and used “-c standalone.xml”.

However, I’m still have a strange issue when trying to login to them. My initial thought was that the clustering was causing this but it’s not.

What happens is when I log in the the first (lets call it A) everything is fine. Working as expected but when i login to the second one (lets call this one B) it failes and askes me to login again which then works. But when the first attempt fails I get logged out of the first one (A). This is when using the same browser.
It doesn’t matter if I use Firefox, Edge or Chrome. However, it does work if I use different browsers.
Say Edge on A and Firefox on B.

Any suggestion on what I’m doing wrong is this perhaps a bug?

Below is the content of my docker-compose.yml.

---
version: '3'

services:
  external_idp_keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: P@ssw0rd
    ports:
      - 8080:8080
    command: ["-c standalone.xml"]
  internal_keycloak:
    image: quay.io/keycloak/keycloak:latest
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: P@ssw0rd
    ports:
      - 8090:8080
    command: ["-c standalone.xml"]

That is cookie problem, when you login/logout to the Keycloak. Those cookies are binded to the domain and not to the domain:port, so logins/logouts overwrite the latest cookie state in the browser. Browser shares cookies between tabs/windows. Of course different browsers don’t share own cookies with another browsers.

Workaround: access those instances via different domains, for example if they are running on localhost then first one url will be http://localhost:8080 and second one http://127.0.0.1:8090 - so 2 independent auth cookies will be generated with 2 different domains localhost and 127.0.0.1.

3 Likes

Thanks for explaination!

I will work around it then. Just wasn’t sure if this was expected or if I misconfigured something.