Simultaneous connexions to different identity providers


I have many IDPs on my keycloak.
Some clients asks for login with a specific idp using kc_idp_hint and other clients asks for another one. If the session is still valid, Keycloak responds with the current identity from the latest IDP, not the required IDP.

For example:
User opens app A, using kc_idp_hint=idp_A. After a few minutes, the same user closes app A and opens app B.

App B uses kc_idp_hint=idp_B but as the user has a fresh session from the previous connexion, s.he gets redirected with the identity of IDP A, not IDP B.

Is there a way to force a full login flow when the asked IDP is different? Similar to the flow when the browser session has expired.


maybe different sub-domains for each app/client?

like same keycloak server with the following domain names

So I think it should treat different domain as seperate session

It is not ideal.
The iss is not the same, so APIs will reject the token as it’s not issued by the expected issuer.
Third-party apps may reject it too or ask a token from the wrong one.

I investigated a bit more.

If I force the Frontend URL, the iss is forced to the right value.
It works well for client_credentials flow, but the authentication code flow (that I use) is broken. The first half of the login process is done with, the second half with the standard Keycloak URL, cookies are lost between the two and the connexion fails.

I’m using this board as open and shared research. If it’s too spammy, let me know!

Following, I can enable the dual login, but as I don’t want to merge users, I get

We are sorry…
You are already authenticated as different user ‘my_user’ in this session. Please log out first.

I’m not able to automatically log out from Keycloak. If I can, it could solve my problem.

Somebody else has the same problem: oauth 2.0 - Skipping keycloak's session cookie - Stack Overflow but there is no answer yet.

Another possibility could be to differentiate Tokens TTL and browser sessions TTL (SSO Session Idle param).
I didn’t find any options to do that. Is it possible?

Another possibility could be to add the IdP name in a claim and check it on my critical apps (the ones forcing the kc_idp_hint). If the IdP is the JWT is not the good one, I trigger a logout process before a new login process, using the right IdP this time.

It’s still not a very good option. If a third party IdP has a logout form (eg: “Do you want to log out?”), it breaks the UX.