Authorize Url Changes

By: Mursel Koseer user 17 Feb 2025 at 5:05 a.m. CST

8 Responses
Mursel Koseer gravatar
Hey, Is there a way to keep the authorization URL always visible? When you first visit the login page, you see the "https://domain/oxauth/authorize.htm?..." URL. However, after clicking "authenticate," the URL changes to "https://domain/oxauth/casa/login.htm" (the page url). This causes issues when a user opens multiple tabs or clients, as the authentication process interferes with each other. We use the "client_id" parameter to set and get the identity working parameter. Consequently, when the URL changes, Gluu still recognizes the last used client in the browser window.
Gluu 4.5 Ubuntu 22.04
pending

Answers

By Michael Schwartz Account Admin 17 Feb 2025 at 2:04 p.m. CST

Copy
Michael Schwartz gravatar
I don't think there is anyway to change this behavior. The authorize endpoint invokes the template... which itself has a unique state value embedded. The end users should never have more then one authn tab open at the same time. Do you mean perhaps that their session expires, and that leave the end user in a state where they have multiple tabs open?

By Mursel Koseer user 19 Feb 2025 at 2:08 a.m. CST

Copy
Mursel Koseer gravatar
I meant specifically just about the multiple tabs not the session expiration. If I understand it correctly I can't do much about it that users can have mutliple login tabs for different clients (different login UI)?

By Md Mostafejur Rahman staff 19 Feb 2025 at 12:11 p.m. CST

Copy
Md Mostafejur Rahman gravatar
Hi Mursel, Yes, you are correct. Users can open multiple login tabs for different clients, and there is no built-in way to prevent this, as each client has an independent authentication flow. Let us know if you’re facing a specific issue related to this behavior, and we can explore possible solutions.

By Michael Schwartz Account Admin 19 Feb 2025 at 1:02 p.m. CST

Copy
Michael Schwartz gravatar
The browser shares cookies across tabs. You can use an incognito tab if you want a different session. There is a support in Gluu for multiple active sessions--however only one account is active at a time. See: https://gluu.org/docs/gluu-server/4.5/admin-guide/session/#select-account

By Mursel Koseer user 20 Feb 2025 at 12:54 a.m. CST

Copy
Mursel Koseer gravatar
Hey, Okay understood, but what do you mean by "only one account is active at a time". Because we managed to login in 2 different accounts in 2 different clients on the same session (same window and different tabs) by providing the prompt=login parameter?

By Mohib Zico Account Admin 20 Feb 2025 at 1:49 a.m. CST

Copy
Mohib Zico gravatar
>> Because we managed to login in 2 different accounts in 2 different clients on the same session (same window and different tabs) by providing the prompt=login parameter? What happens if you open third tab and try to access some application which is using first account?

By Michael Schwartz Account Admin 20 Feb 2025 at 4:23 p.m. CST

Copy
Michael Schwartz gravatar
Using `prompt=login` will create a situation as I described in the docs link above, where one browser session has multiple sessions. Right now, Gluu only supports one active session per browser session, not per tab.The best way to handle this is to do your other session in incognito mode so cookies are not shared across the session. I see Google is handling this much better now, so I'll add it as a feature request in the upstream open source to revisit this session behavior.

By Mursel Koseer user 24 Feb 2025 at 6:01 a.m. CST

Copy
Mursel Koseer gravatar
Hi, What happens if you open third tab and try to access some application which is using first account? ** - When opening a third tab you will get the correct cookies of the loggedin user for that specific application (client). ** Using prompt=login will create a situation as I described in the docs link above, where one browser session has multiple sessions. Right now, Gluu only supports one active session per browser session, not per tab.The best way to handle this is to do your other session in incognito mode so cookies are not shared across the session. I see Google is handling this much better now, so I'll add it as a feature request in the upstream open source to revisit this session behavior. ** - Okay understoond, thanks.**

Post an answer