Client restriction on

[e-tip]

Hi and thanks for your great work.
I'm trying to configure keycloak to be able to handle a couple of applications i will use in the future, and to easily implement Google SSO in all of each apps.
I think i've configured correctly the restriction, because if an user session already exists ( unfortunately the app i'm using doesn't support calling the sso logout url so in keycloak the session is still there ), when i click to the login button i get access_denied message from keycloak. The problem is when i try to login using google to access the application. As soon as i successfully login with google data, i'm sent to the app homepage. Obviously this is an issue caused by my lack of knowledge of Keycloak as i've just started using it, but a suggestion on how to configure it to prevent login even if i do SSO login would be much appreciated

[sventorben]

I assume you ran into a similiar issue than #224.

If you use Google as an IdP, the original authentication flow is left and continues after logging in via Google in a so-called "Post Login Flow". You must therefore ensure that the authenticator provided by this extension is running in all Post Login Flows.

The post login flow is part of the IdP configuration. See the docs for details: https://www.keycloak.org/docs/latest/server_admin/#_general-idp-config

You may need to add a new flow if you do not have one created yet. Please also make sure to check all your other flows, like direct grant flow, See this hint in the docs.

I can only strongly recommend that you familiarize yourself with the concepts of flows. Errors in configuration or forgetting a flow can lead to serious security problems.