How does Keycloak determinate a User in new browser window?

Question

I try to make sense of following problem:

There is:

• app1.gatekeeper-test.com
• app2.other-url.com

Those two Clients(app1, app2) are in the same realm (secured behind 2 Gatekeepers) Both are pointing to the same ressource server - Cookies are fully-scoped.

1. I log in as user1 into app1.gatekeeper-test.com.
2. I open app2.other-url.com in a new tab it logs me automatically in as user1.
3. If I open app1.gatekeeper-test.com in a private window I need to login again.
4. There is nothing which is globally scoped and I can't find the reason how keycloak is determining the user.

How is this possible? There has to be some Frontend-State-Mechanism which lets Keycloak know, that this is user1, which is trying to access app2? I am quite puzzled... (Tested on Chrome 80.0.3987.87)

Answer 1

That's how SSO works, it's your browser session UUID that is shared across the browser tabs.

Once you redirect to keycloak from the new tab, it detects via your browser session that there is already an authenticated user for that session under the same realm and hence it returns to you the token.

From an incognito windows, you have a new session UUID and hence you will need to redo the authentication mechanism and you will get a different token with different expiration time even if it is the same user.