DuendeSoftware / IdentityServer

The most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core
https://duendesoftware.com/products/identityserver
Other
1.49k stars 348 forks source link

Implement multiple concurrent sessions #34

Open leastprivilege opened 3 years ago

leastprivilege commented 3 years ago

migrated from IdentityServer4

https://github.com/IdentityServer/IdentityServer4/issues/1721

merijndejonge commented 3 years ago

We created an application that supports multiple identities. This seems to work pretty well. A user signs in as Foo at our single instance of identity server and then can access our backend APIs. Then, the user also signs in as Bar to access our APIs under this identity. Our client apps (mobile, web, web extension) allow the user to switch between identity Foo and Bar. The apps maintain the access token for each identity such that the right access token is used when accessing the backend APIs. Also, refresh tokens work fine.

As far as we can see, the only thing that is not working is signout. This is because for signout the session cookie is used to identify the user. However, this cookie always contains the information of the last session (the session of Bar in my example). So, when signing out Foo, actually Bar is signed out. I think this is a known issue because simultaneous sessions are not supported (yet).

My question is twofold:

  1. If token refresh works perfectly fine with multiple sessions, what is the problem with also supporting sign out for multiple sessions?
  2. As far as we can see and check, the way we deal with multiple sessions just works (apart from the aforementioned sign out), but since multi-session is still not supported by identity server, are we missing something?

Thanks for your help.

brockallen commented 3 years ago

Some research notes. This all looks mostly doable today with all our extensibility points, but intimate knowledge and understanding of how things work is necessary. The things that need to be done are:

So technically all possible today with enough effort. It'd be nice as a first class feature. I don't think we have time for 6.0, but possibly for v6.x (don't know if breaking changes would be required, which would push it to v7).

pampua84 commented 2 years ago

Hi, are there any updates regarding this feature?

brockallen commented 2 years ago

Given that it seems possible today with existing extensibility points, we've not been focused on this feature.

thomas-bingel commented 1 year ago

Hi, I am trying to get this to work on IS 6.x. Is there an example on how to realize this feature?

josephdecock commented 1 year ago

Sorry, we don't have an official sample of this feature.

mtpilarek commented 1 year ago

Any progress on this one or at least did someone (maybe you @thomas-bingel) manage to implement it using current extensibility points?

brockallen commented 1 year ago

Nothing new to report. After each release we review all issues in the future milestone, so watch this for any changes.

dgioulakis commented 1 year ago

It is looking like our org and numerous products will need this functionality as well. I'll probably be diving into it soon and exploring how we might be able to achieve this with current Duende extensibility points. Our goal is very similar to how Google provides multiple active sessions and allows you to switch between applications within each user session context.

Will try to remember to report back here any findings that might be useful to others.

merijndejonge commented 1 year ago

See also https://github.com/DuendeSoftware/Support/issues/593: On top of the Microsoft cookie authentication handler extension points I've created my own session cookie that holds a collection of authentication tickets, one for each session. This collection of sessions gets updated by sign-in/sign-out events triggered by the cookie authentication handler. It seems fairly easy to use this to keep track of sessions. Not sure about all the use cases you mention (I'm really no expert on OIDC etc), but it seems to me that as long there is a sub/sid available, it must be possible update the authentication tickets in this cookie for different sign-out/sign-in scenario's.

If I can contribute, just let me know. I can for instance share the code for the session cookie with a collection of authentication tickets.

starlord2048 commented 1 year ago

Our application needs this functionality as well. I am just wondering whether expressing interest from the community here will influence the priority in the backlog. :)

dobestar commented 7 months ago

We'd be up for this feature also!

valse commented 3 months ago

Hi, we are also facing the same issue with sessions: we store them server-side and if the same user is authenticated in two different browsers even with different client_id, the check session trigger of the first browser sign-out the logged user :\ It would be useful to allow multiple sessions for the same user... maybe just for different clients. Thanks!

walliski commented 2 months ago

If I can contribute, just let me know. I can for instance share the code for the session cookie with a collection of authentication tickets.

@merijndejonge we are looking into something similar. Would any of your code/some examples of it happen to be available somewhere online?

1saeedsalehi commented 1 month ago

We would also interested in this feature!