Multiple sessions per client

[AUSBird]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Network project.
• [X] I have joined the Ory Community Slack.
• [x] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

There are common use cases for a platform or authentication system to allow a user to authenticate to multiple accounts and get multiple sessions active on the same client. For example, Discord's account switcher, google's account selector and Twitter.

Describe your ideal solution

Kratos seems to issue a cookie after authenticating before redirecting.

One option is Kratos could store a cookie for a client token, and a session token is linked to that client token. The Who Am I endpoint returns the existing Who Am I data based on the active session for that client and also have endpoints to list available sessions and swap what session the client is using.

I am sure there is a better alternative to my suggestion but that's the best I have at the moment.

Workarounds or alternatives

Platforms that use Kratos could have their own API that swaps cookies on the client to effectively do account switching, however that could pose security issues I'm not aware of.

Another alternative is supporting multiple profiles per account and the platform has different profiles and some way to set what profile is active. This has issues where an account takeover would result in all profiles being stolen.

Version

v0.11.1

Additional Context

No response

[AUSBird]

On a side note: If I would be willing to give this a shot, however I'm new to Go lang so am hesitant for something that touches a core fundamental part of the way the system works with my inexperience. However I am keen to learn this language so would give it a shot.

If I was to do this I would probably need to comment a design doc and make this an RFC so it's detailed before I write code.

[AUSBird]

Hey Ory team, I am just curious what your thoughts on this feature request is?

Should I make a design document or add more details to this issue for someone else who is more experienced to take?

Regards

[Saganic]

+1, we need this in our production env

[kmherrmann]

Thanks for filing this. Supporting multi-account login is a legitimate use case; however it's not on the near-term roadmap for the Ory team. If either of you wants to get a design doc going, some considerations:

• It must always be clear in which session context the user is operating. /whoami responses should not change fundamentally
• I am not conviced that there should be an endpoint to get other sessions, that seems like an increase of attack surface. Instead, my inclination would be to have the client store session tokens/cookies for multiple accounts and devise which one is active
• Using session tokens, this should be implement-able on the client side
• Using session cookies this would add quite some complexity I believe

With that said, we haven't gone through detailed design, so please treat the above with a grain of salt :)

[AUSBird]

Thanks for the reply @kmherrmann about creating a design document. Is that done by opening another issue here and filling in the form after some thought and then discussing on the issue in the comments of the design doc to hash out the best solution for this?

Am asking mostly cause I would happily do my best to make that design document but with my limited knowledge around Kratos, I am just wanting to make sure if I should give it a crack or not.

[haase1020]

I am definitely interested in this feature - we would love to have this in our production environment.