I have many IDPs on my keycloak.
Some clients asks for login with a specific idp using kc_idp_hint and other clients asks for another one. If the session is still valid, Keycloak responds with the current identity from the latest IDP, not the required IDP.
For example:
User opens app A, using kc_idp_hint=idp_A. After a few minutes, the same user closes app A and opens app B.
App B uses kc_idp_hint=idp_B but as the user has a fresh session from the previous connexion, s.he gets redirected with the identity of IDP A, not IDP B.
Is there a way to force a full login flow when the asked IDP is different? Similar to the flow when the browser session has expired.
It is not ideal.
The iss is not the same, so APIs will reject the token as itās not issued by the expected issuer.
Third-party apps may reject it too or ask a token from the wrong one.
If I force the Frontend URL, the iss is forced to the right value.
It works well for client_credentials flow, but the authentication code flow (that I use) is broken. The first half of the login process is done with appB.keycloak.com, the second half with the standard Keycloak URL, cookies are lost between the two and the connexion fails.
Another possibility could be to differentiate Tokens TTL and browser sessions TTL (SSO Session Idle param).
I didnāt find any options to do that. Is it possible?
Another possibility could be to add the IdP name in a claim and check it on my critical apps (the ones forcing the kc_idp_hint). If the IdP is the JWT is not the good one, I trigger a logout process before a new login process, using the right IdP this time.
Itās still not a very good option. If a third party IdP has a logout form (eg: āDo you want to log out?ā), it breaks the UX.