Remove "You are already logged-in" during authentication

Description

This request is a long time request, which can be found on Jira

Expected behavior

Given a logged user 
When they get prompted to login
Or follow a validation link (e.g email)
Then their authentication flow complete successfully back into the app, with the request login data

Current behavior

Given a logged user 
When they get prompted to login
Or follow a validation link (e.g email)
Then they see an error-like page telling them they are already logged in 
And a cancel-like button to get back to the application, if there is a base URL set

Discussion

https://issues.redhat.com/browse/KEYCLOAK-5179?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&showAll=true

Motivation

The current logic currently gives a poor user experience and doesn’t bring any value as such - since the user is already authenticated anyway, there is no fundamental issue to complete their authentication flow.

Details

Worth to mention that this has been a requested feature for almost 5 years, perhaps it would be nice to provide a temporary workaround (someone in the documentation mentioned they’ve managed to achieve a hack, but sadly haven’t shared much) or provide a vision and design on how to start implementing this solution (there was a suggested approach, but it appears that it wasn’t well received by the community)

Issue Analytics

State:
Created a year ago
Reactions:5
Comments:5 (2 by maintainers)

Top GitHub Comments

3reactions

eldarjcommented, Jul 19, 2022

@lexcao thanks, let’s see what the Keycloak team has to say.

Regarding your proposal, here are my two cents - The adjustments proposed above would possibly cause the user to end up in a loop. Imo, the Already logged in page is the expected behavior, as I can’t think of a reason when this would not be appropriate to show.

If the user is logged in but lands on the login page again for whatever reason, the best thing is to show this page. Why this happens needs more troubleshooting, and it depends on the specific use case.

Redirecting back to the redirect_uri and defaulting to base_url would be nice to have as a configurable option. Additionally besides this, when this occurs, it would be nice to have a auto_force_logout as well as an option.

This way we can choose how to handle this, we show the Already logged in page by default, but you can enable one of the above options if it fits your use case.

And yes, obviously improve this page to provide better UX. I suggest providing a more sophisticated UI, with two buttons - one for navigating to the app, and one to navigate to login (logout the user and allow new login)

Definitely, this needs to be worked on in any case. This is something that was being asked to improve for years now.

1reaction

eldarjcommented, Sep 20, 2022

Five cents, what I did is the following

Whenever a user ends up on the login page, check for existing cookies and if present remove them.

This can be done within a custom login authenticator SPI, and it solved all the “You are already logged in.” issues for me. This will allow your users to login, for whatever reason they end up on the login page.