Open leastprivilege opened 3 years ago
We created an application that supports multiple identities. This seems to work pretty well. A user signs in as Foo at our single instance of identity server and then can access our backend APIs. Then, the user also signs in as Bar to access our APIs under this identity. Our client apps (mobile, web, web extension) allow the user to switch between identity Foo and Bar. The apps maintain the access token for each identity such that the right access token is used when accessing the backend APIs. Also, refresh tokens work fine.
As far as we can see, the only thing that is not working is signout. This is because for signout the session cookie is used to identify the user. However, this cookie always contains the information of the last session (the session of Bar in my example). So, when signing out Foo, actually Bar is signed out. I think this is a known issue because simultaneous sessions are not supported (yet).
My question is twofold:
Thanks for your help.
Some research notes. This all looks mostly doable today with all our extensibility points, but intimate knowledge and understanding of how things work is necessary. The things that need to be done are:
So technically all possible today with enough effort. It'd be nice as a first class feature. I don't think we have time for 6.0, but possibly for v6.x (don't know if breaking changes would be required, which would push it to v7).
Hi, are there any updates regarding this feature?
Given that it seems possible today with existing extensibility points, we've not been focused on this feature.
Hi, I am trying to get this to work on IS 6.x. Is there an example on how to realize this feature?
Sorry, we don't have an official sample of this feature.
Any progress on this one or at least did someone (maybe you @thomas-bingel) manage to implement it using current extensibility points?
Nothing new to report. After each release we review all issues in the future milestone, so watch this for any changes.
It is looking like our org and numerous products will need this functionality as well. I'll probably be diving into it soon and exploring how we might be able to achieve this with current Duende extensibility points. Our goal is very similar to how Google provides multiple active sessions and allows you to switch between applications within each user session context.
Will try to remember to report back here any findings that might be useful to others.
See also https://github.com/DuendeSoftware/Support/issues/593: On top of the Microsoft cookie authentication handler extension points I've created my own session cookie that holds a collection of authentication tickets, one for each session. This collection of sessions gets updated by sign-in/sign-out events triggered by the cookie authentication handler. It seems fairly easy to use this to keep track of sessions. Not sure about all the use cases you mention (I'm really no expert on OIDC etc), but it seems to me that as long there is a sub/sid available, it must be possible update the authentication tickets in this cookie for different sign-out/sign-in scenario's.
If I can contribute, just let me know. I can for instance share the code for the session cookie with a collection of authentication tickets.
Our application needs this functionality as well. I am just wondering whether expressing interest from the community here will influence the priority in the backlog. :)
We'd be up for this feature also!
Hi, we are also facing the same issue with sessions: we store them server-side and if the same user is authenticated in two different browsers even with different client_id
, the check session trigger of the first browser sign-out the logged user :\
It would be useful to allow multiple sessions for the same user... maybe just for different clients. Thanks!
If I can contribute, just let me know. I can for instance share the code for the session cookie with a collection of authentication tickets.
@merijndejonge we are looking into something similar. Would any of your code/some examples of it happen to be available somewhere online?
We would also interested in this feature!
migrated from IdentityServer4
https://github.com/IdentityServer/IdentityServer4/issues/1721