I’ve done some searching around and I haven’t been able to figure out if my problem is something that can be addressed by a configuration change / some other means, or if it’s just the way Keycloak or OAuth in general works.
We have a single realm.
We have a website and an application that use this Keycloak realm.
We use a Keycloak client called ‘webfrontend’ for authentication for the website.This uses the Standard OAuth flow.
We have an application than runs on standalone VR devices (Quest/Pico/other). We created a second client for these in the same realm called ‘vrclient’. This use the Device Authorization Grant Flow.
All users can use both.
The problem we’re having with the device flow is that when the user logs in they are also logged in to the browser. If this is their own device or account on a desktop pc, this is fine and doesn’t present a problem.
However, the problem scenario is that the VR devices might be in an area with a windows desktop pc. We have a couple of clients that have the PC logged into a common account and just have all the users use the browser within a shared (Windows) account on the desktop. I realise users doing this is terrible from a security point of view, but we can’t control what they do…
When a user uses the device flow in that browser to login to a headset they are also logged in to that browser as well. The page after logging in says something to the effect of “you may close the browser window and continue on the device”. It’s pretty easy for the user to think that means they can do just that. Which they will do (or just leave it sitting on that page). Then another person uses the system for the same device login flow, but they don’t need to enter their username and password as the the browser is still logged in as the previous user and they end up logged in on their vr device as the wrong user.
Even if the users were to realize and logout in the browser this would break the vr session as they are logged out by the browser logging out.
Basically, is there a way to do something like a shared device mode for the device login so that every device login attempt requires user/pass and doesn’t save any session state in the browser? Or possibly to clear the browser session state on the “you may close the browser window and continue on the device”. Or a kiosk mode of some sort?
Or is this a case where the only option is user education and behavioural changes.