User logged-in on one client get automaticaly logged-in to another client

I am struggling with local configuration to test HYDRA. When logging in with one client, I get automatically logged in on another domain using another client… I do think that with SSO, if logged-in using a client, I should not be automatically logged-in to another client, or am I wrong? Do I need to use a different hydra server for each realm in order to discriminate clients?

Basicaly, I created 2 clients, when logged in with one client CLT1, I get a skip login at true when trying to login on the CLT2 client before sending credentials. (I setup remember to true during consent phase on CLT1)

Here is my setup and some logs…

I am using hydra v1.0.1 with postgreSQL using docker.

My Hydra conf:
environment:
- DSN=postgres://hydra:[email protected]:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
- SERVE_PUBLIC_CORS_ENABLED=true
- LOG_LEVEL=debug
- SERVE_PUBLIC_CORS_DEBUG=true
- SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=*
- SERVE_ADMIN_CORS_ENABLED=true
- SERVE_ADMIN_CORS_DEBUG=true
- SERVE_ADMIN_CORS_ALLOWED_ORIGINS=*
- CORS_ALLOWED_ORIGINS=*
- URLS_SELF_ISSUER=http://127.0.0.1:4444/
- URLS_USERINFO=http://localhost:8081/swse/customer/v1/oauth2/userinfo
- URLS_CONSENT=http://localhost:8081/swse/customer/v1/oauth2/consent
- URLS_LOGIN=http://localhost:8081/swse/customer/v1/oauth2/login
- URLS_LOGOUT=http://localhost:8081/swse/customer/v1/oauth2/logout
- SECRETS_SYSTEM=IamTheOnlyAuthProviderArround1
- OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
- OIDC_SUBJECT_TYPE_PAIRWISE_SALT=AndThisIsMySaltedConfig

client 1
{
“client_id”: “CLT1”,
“client_name”: “client 1”,
“contacts”: [“Client 1 Contact”],
“created_at”: “2019-08-22T11:15:00Z”,
“frontchannel_logout_session_required”: true,
“grant_types”: [“implicit”, “authorization_code”,“refresh_token”, “password”, “client_credentials”],
“response_types”: [“code”, “id_token”, “token”, “id_token token”],
“redirect_uris”: [“http://my-clt1”],
“scope”: “openid offline email profile”,
“allowed_cors_origins”: [“http://my-clt1”],
“post_logout_redirect_uris”: [“http://my-clt1”]
}
and Client 2
{
“client_id”: “CLT2”,
“client_name”: “client 2”,
“contacts”: [“Client 1 Contact”],
“created_at”: “2019-08-22T11:15:00Z”,
“frontchannel_logout_session_required”: true,
“grant_types”: [“implicit”, “authorization_code”,“refresh_token”, “password”, “client_credentials”],
“response_types”: [“code”, “id_token”, “token”, “id_token token”],
“redirect_uris”: [“http://my-clt2:81”],
“scope”: “openid offline email profile”,
“allowed_cors_origins”: [“http://my-clt2:81”],
“post_logout_redirect_uris”: [“http://my-clt2:81”]
}

I do login CLT1 using a browser tab:

1. Request URL: http://127.0.0.1:4444/oauth2/auth?response_type=id_token%20token&client_id=CLT1&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&scope=openid%20profile%20email&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: 127.0.0.1:4444

1. Request URL: http://localhost:8081/idp/customer/v1/oauth2/login?login_challenge=a578e44624fd46e5928b00b8209111b3
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: [::1]:8081
5. Referrer Policy: no-referrer-when-downgrade

1. Request URL: http://my-clt1/login?login_challenge=a578e44624fd46e5928b00b8209111b3&redirect_uri=http://localhost:8081/idp/customer/v1/oauth2/login
2. Request Method: GET
3. Status Code: 200 OK
4. Remote Address: 127.0.0.1:80
5. Referrer Policy: no-referrer-when-downgrade

Server Side on Hydra

hydra_2          | time="2019-09-12T08:47:06Z" level=info msg="started handling request" method=GET remote="172.22.0.5:34598" request="/oauth2/auth?response_type=id_token%20token&client_id=CLT1&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&scope=openid%20profile%20email&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs"
hydra_2          | time="2019-09-12T08:47:06Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=22344700 method=GET remote="172.22.0.5:34598" request="/oauth2/auth?response_type=id_token%20token&client_id=CLT1&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&scope=openid%20profile%20email&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs" status=302 text_status=Found took=22.3447ms
hydra_3          | time="2019-09-12T08:47:06Z" level=info msg="started handling request" method=GET remote="172.22.0.5:54198" request="/oauth2/auth/requests/login?challenge=a578e44624fd46e5928b00b8209111b3"
hydra_3          | time="2019-09-12T08:47:06Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=2208800 method=GET remote="172.22.0.5:54198" request="/oauth2/auth/requests/login?challenge=a578e44624fd46e5928b00b8209111b3" status=200 text_status=OK took=2.2088ms

After Login CLT1

1. Request URL: http://localhost:8081/idp/customer/v1/oauth2/login
2. Request Method: POST
3. Status Code: 302 Found
4. Remote Address: [::1]:8081

1. Request URL: http://127.0.0.1:4444/oauth2/auth?client_id=CLT1&login_verifier=8959814784bb45e3b20ba7ed7694e1c2&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&response_type=id_token+token&scope=openid+profile+email&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: 127.0.0.1:4444

1. Request URL: http://localhost:8081/idp/customer/v1/oauth2/consent?consent_challenge=79f5164616c14ddf9125d70f1ab0fcb1
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: [::1]:8081

1. Request URL: http://127.0.0.1:4444/oauth2/auth?client_id=CLT1&consent_verifier=b5bf9d51add64a08b2517c4325692491&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&response_type=id_token+token&scope=openid+profile+email&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: 127.0.0.1:4444

Server Side on Hydra

hydra_5          | time="2019-09-12T08:57:28Z" level=info msg="started handling request" method=GET remote="172.22.0.5:38408" request="/oauth2/auth/requests/login?challenge=a578e44624fd46e5928b00b8209111b3"
hydra_5          | time="2019-09-12T08:57:28Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=2635400 method=GET remote="172.22.0.5:38408" request="/oauth2/auth/requests/login?challenge=a578e44624fd46e5928b00b8209111b3" status=200 text_status=OK took=2.6354ms
hydra_2          | time="2019-09-12T08:57:39Z" level=info msg="started handling request" method=PUT remote="172.22.0.5:60522" request="/oauth2/auth/requests/login/accept?challenge=a578e44624fd46e5928b00b8209111b3"
hydra_2          | time="2019-09-12T08:57:39Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=15353000 method=PUT remote="172.22.0.5:60522" request="/oauth2/auth/requests/login/accept?challenge=a578e44624fd46e5928b00b8209111b3" status=200 text_status=OK took=15.353ms
hydra_3          | time="2019-09-12T08:57:40Z" level=info msg="started handling request" method=GET remote="172.22.0.5:46604" request="/oauth2/auth?client_id=CLT1&login_verifier=8959814784bb45e3b20ba7ed7694e1c2&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&response_type=id_token+token&scope=openid+profile+email&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs"
hydra_3          | time="2019-09-12T08:57:40Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=32333500 method=GET remote="172.22.0.5:46604" request="/oauth2/auth?client_id=CLT1&login_verifier=8959814784bb45e3b20ba7ed7694e1c2&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&response_type=id_token+token&scope=openid+profile+email&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs" status=302 text_status=Found took=32.3335ms
hydra_1          | time="2019-09-12T08:57:40Z" level=info msg="started handling request" method=GET remote="172.22.0.5:40682" request="/oauth2/auth/requests/consent?challenge=79f5164616c14ddf9125d70f1ab0fcb1"
hydra_1          | time="2019-09-12T08:57:40Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=3703300 method=GET remote="172.22.0.5:40682" request="/oauth2/auth/requests/consent?challenge=79f5164616c14ddf9125d70f1ab0fcb1" status=200 text_status=OK took=3.7033ms
hydra_4          | time="2019-09-12T08:57:40Z" level=info msg="started handling request" method=PUT remote="172.22.0.5:36110" request="/oauth2/auth/requests/consent/accept?challenge=79f5164616c14ddf9125d70f1ab0fcb1"
hydra_4          | time="2019-09-12T08:57:40Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=11995400 method=PUT remote="172.22.0.5:36110" request="/oauth2/auth/requests/consent/accept?challenge=79f5164616c14ddf9125d70f1ab0fcb1" status=200 text_status=OK took=11.9954ms
hydra_5          | time="2019-09-12T08:57:40Z" level=info msg="started handling request" method=GET remote="172.22.0.5:41956" request="/oauth2/auth?client_id=CLT1&consent_verifier=b5bf9d51add64a08b2517c4325692491&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&response_type=id_token+token&scope=openid+profile+email&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs"
hydra_5          | time="2019-09-12T08:57:40Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=75278900 method=GET remote="172.22.0.5:41956" request="/oauth2/auth?client_id=CLT1&consent_verifier=b5bf9d51add64a08b2517c4325692491&nonce=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs&redirect_uri=http%3A%2F%2Fmy-clt1&response_type=id_token+token&scope=openid+profile+email&state=HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs" status=302 text_status=Found took=75.2789ms

Session data

nonce: HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs	
id_token_expires_at: 1568282260000	
expires_at: 1568282260687	
access_token_stored_at: 1568278661687	
id_token_stored_at: 1568278661765	
id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzoxNTBmZ...
access_token: nY1Nwesg7Dkq-jPjT5VnwX8hUrWBcaZD4403sp0mx...
id_token_claims_obj: {"at_hash":"lysJySgwqdnnLYllaNgHgA","aud":["CLT1"],"auth_time":1568278659,"exp":1568282260,"iat":1568278660,"iss":"http://127.0.0.1:4444/","jti":"69ff6874-9468-4dc0-8e88-b6c07f2b4b3d","nonce":"HHxmv-xME4hxbn58eJdxXkH3q5tN-cImjNAhgrpRcsfzs","rat":1568278026,"sid":"ffddb6ec-628c-4282-be38-863a4e550d17","sub":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..3iE0-gprM2xiiaUWzRcqFg.4nNQNTaA70Cd_OvBD7FNMEN8tDkF-coamCYPxCdxVlGyQDEEHe_ElbebmZ44qoBLVmKgVUZ9iXSnZdRmELvmCA.w-sB4aOi3QLZxUWYx6g-6Q"}	
session_state: undefined	
granted_scopes: ["openid profile email"]

CLIENT 2 Login

1. Request URL: http://127.0.0.1:4444/oauth2/auth?response_type=id_token%20token&client_id=CLT2&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&scope=openid%20profile%20email&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: 127.0.0.1:4444

1. Request URL: http://localhost:8081/idp/customer/v1/oauth2/login?login_challenge=ae76f9dbb28d4082a3c5a24ce43ed806
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: [::1]:8081

1. Request URL: http://127.0.0.1:4444/oauth2/auth?client_id=CLT2&login_verifier=41713af9bf1c406e8ed1655f1c150bd3&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&response_type=id_token+token&scope=openid+profile+email&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: 127.0.0.1:4444

1. Request URL: http://localhost:8081/idp/customer/v1/oauth2/consent?consent_challenge=ccf1a0a03df64bbfbfe5ecb2417d0dd1
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: [::1]:8081

1. Request URL: http://127.0.0.1:4444/oauth2/auth?client_id=CLT2&consent_verifier=e15246045770482ca0de70a11656c7db&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&response_type=id_token+token&scope=openid+profile+email&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr
2. Request Method: GET
3. Status Code: 302 Found
4. Remote Address: 127.0.0.1:4444

Server Side Hydra

hydra_5          | time="2019-09-12T09:10:38Z" level=info msg="started handling request" method=GET remote="172.22.0.5:42018" request="/oauth2/auth?response_type=id_token%20token&client_id=CLT2&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&scope=openid%20profile%20email&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr"
hydra_5          | time="2019-09-12T09:10:38Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=11650700 method=GET remote="172.22.0.5:42018" request="/oauth2/auth?response_type=id_token%20token&client_id=CLT2&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&scope=openid%20profile%20email&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr" status=302 text_status=Found took=11.6507ms
hydra_3          | time="2019-09-12T09:10:38Z" level=info msg="started handling request" method=GET remote="172.22.0.5:54286" request="/oauth2/auth/requests/login?challenge=ae76f9dbb28d4082a3c5a24ce43ed806"
hydra_3          | time="2019-09-12T09:10:38Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=2188700 method=GET remote="172.22.0.5:54286" request="/oauth2/auth/requests/login?challenge=ae76f9dbb28d4082a3c5a24ce43ed806" status=200 text_status=OK took=2.1887ms
hydra_5          | time="2019-09-12T09:10:38Z" level=info msg="started handling request" method=PUT remote="172.22.0.5:38490" request="/oauth2/auth/requests/login/accept?challenge=ae76f9dbb28d4082a3c5a24ce43ed806"
hydra_5          | time="2019-09-12T09:10:39Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=8415200 method=PUT remote="172.22.0.5:38490" request="/oauth2/auth/requests/login/accept?challenge=ae76f9dbb28d4082a3c5a24ce43ed806" status=200 text_status=OK took=8.4152ms
hydra_2          | time="2019-09-12T09:10:39Z" level=info msg="started handling request" method=GET remote="172.22.0.5:34694" request="/oauth2/auth?client_id=CLT2&login_verifier=41713af9bf1c406e8ed1655f1c150bd3&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&response_type=id_token+token&scope=openid+profile+email&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr"
hydra_2          | time="2019-09-12T09:10:39Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=15158500 method=GET remote="172.22.0.5:34694" request="/oauth2/auth?client_id=CLT2&login_verifier=41713af9bf1c406e8ed1655f1c150bd3&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&response_type=id_token+token&scope=openid+profile+email&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr" status=302 text_status=Found took=15.1585ms
hydra_2          | time="2019-09-12T09:10:39Z" level=info msg="started handling request" method=GET remote="172.22.0.5:60604" request="/oauth2/auth/requests/consent?challenge=ccf1a0a03df64bbfbfe5ecb2417d0dd1"
hydra_2          | time="2019-09-12T09:10:39Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=2695100 method=GET remote="172.22.0.5:60604" request="/oauth2/auth/requests/consent?challenge=ccf1a0a03df64bbfbfe5ecb2417d0dd1" status=200 text_status=OK took=2.6951ms
hydra_1          | time="2019-09-12T09:10:39Z" level=info msg="started handling request" method=PUT remote="172.22.0.5:40760" request="/oauth2/auth/requests/consent/accept?challenge=ccf1a0a03df64bbfbfe5ecb2417d0dd1"
hydra_1          | time="2019-09-12T09:10:39Z" level=info msg="completed handling request" measure#hydra/admin: http://127.0.0.1:4444/.latency=10119800 method=PUT remote="172.22.0.5:40760" request="/oauth2/auth/requests/consent/accept?challenge=ccf1a0a03df64bbfbfe5ecb2417d0dd1" status=200 text_status=OK took=10.1198ms
hydra_1          | time="2019-09-12T09:10:39Z" level=info msg="started handling request" method=GET remote="172.22.0.5:51660" request="/oauth2/auth?client_id=CLT2&consent_verifier=e15246045770482ca0de70a11656c7db&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&response_type=id_token+token&scope=openid+profile+email&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr"
hydra_1          | time="2019-09-12T09:10:39Z" level=info msg="completed handling request" measure#hydra/public: http://127.0.0.1:4444/.latency=114910300 method=GET remote="172.22.0.5:51660" request="/oauth2/auth?client_id=CLT2&consent_verifier=e15246045770482ca0de70a11656c7db&nonce=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr&redirect_uri=http%3A%2F%2Fmy-clt2%3A81&response_type=id_token+token&scope=openid+profile+email&state=fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr" status=302 text_status=Found took=114.9103ms

Session Data

nonce: fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr	
id_token_expires_at: 1568283039000	
expires_at: 1568283040371	
access_token_stored_at: 1568279441370	
id_token_stored_at: 1568279441470	
id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzoxNTBmZDg3Ni1lMzEzLTRhYjYtOD...
access_token: Gtew9e0tBqrTm85uqUPj-vqYPbD1stSIVn3dZbFjWuU.QqLmh5g6UaS8AlVCwf...
id_token_claims_obj: {"at_hash":"1ik1L-HpW303kY-Zl8mLrw","aud":["CLT2"],"auth_time":1568278660,"exp":1568283039,"iat":1568279439,"iss":"http://127.0.0.1:4444/","jti":"3fb93089-6879-4115-a7a2-037018b08e0d","nonce":"fGtNHIR4pS23k7cjeuPNld_E6aMSFhGKogXiU3XrqUIYr","rat":1568279438,"sid":"ffddb6ec-628c-4282-be38-863a4e550d17","sub":"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..3iE0-gprM2xiiaUWzRcqFg.4nNQNTaA70Cd_OvBD7FNMEN8tDkF-coamCYPxCdxVlGyQDEEHe_ElbebmZ44qoBLVmKgVUZ9iXSnZdRmELvmCA.w-sB4aOi3QLZxUWYx6g-6Q"}	
session_state: undefined	
granted_scopes: ["openid profile email"]

Ok, I found out what was going on thanks to discord, community!

When setting the remember to true then the hydra domain puts a cookie with data in the browser in order to remember the client for the server, for any client or domains!
That’s kind of weird, I though it would remember the user for one client, not for all clients… so if you are multi-domain and manage many different clients, if set to true, a user would be able to authenticate silently on every clients…

I guess it would be better to run one hydra per realm then to avoid that kind of problem.

That’s not weird behavior at all but standard OAuth2. Keep in mind that OAuth2 is not a “Login System”, it’s a 3rd Party Authorization Protocol. Always think of it from the perspective of e.g. Facebook Apps.

Hi Arekkas, thanks for your inputs. please consider telling me about multi-tenancies. I would appreciate your inputs on that matter.