Remove root auth session on first offline_access to prevent cross-user session contamination#46578
Open
federicobartoli wants to merge 1 commit intokeycloak:mainfrom
Conversation
…r session contamination When a user authenticates with scope=offline_access, the FIRST_OFFLINE_ACCESS path removes the online user session but not the associated root authentication session. This leaves the AUTH_SESSION_ID cookie pointing to a still-valid root auth session. If a second user authenticates from the same browser within the session TTL, Keycloak reuses the stale root auth session and creates a new user session with the same ID, allowing the second user to inherit the first user's session. Remove the root authentication session together with the online user session in the FIRST_OFFLINE_ACCESS code path, consistent with backchannel logout and the logout endpoint. Closes keycloak#46239 Signed-off-by: Federico Bartoli <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When a user authenticates with
scope=offline_access, theFIRST_OFFLINE_ACCESSpath removes the online user session but not the associated root authentication session. This leaves theAUTH_SESSION_IDcookie pointing to a still-valid root auth session. If a second user authenticates from the same browser within the session TTL, Keycloak reuses the stale root auth session and creates a new user session with the same ID, allowing the second user to inherit the first user's session.This PR removes the root authentication session together with the online user session in the
FIRST_OFFLINE_ACCESScode path, consistent with backchannel logout and the logout endpoint.Closes #46239
Changes
OAuth2GrantTypeBase.java— After removing the online user session, also remove the root authentication session to preventAUTH_SESSION_IDcookie reuseOfflineTokenTest.java— Regression test that verifies the root auth session is cleaned up and a second user gets an isolated sessionTest plan
OfflineTokenTest#offlineTokenCrossUserSessionIsolationpasses with the fixmain