-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
help request: openid-connect different clients unexpectedly shared the same auth session #11229
Comments
Can you describe this behaviour more in details? Is it like:
|
Yes of course, sorry if i was not precise enough.
instead it is like you described, user A is also logged in app2 , instead of beeing asked for credentials for app2. |
That is so very strange... Especially if you said using different session secrets also doesn't work as intended. I understand your issue now but I'm working on other things at the moment. I can surely circle back when I have time. |
That would be really great. |
I encountered the same issue, and I had made a pull request #11286 to solve this problem. Test passed |
Description
Hi,
first of all, thanks a lot for that great piece of software. So far the only open source gateway that has (almost) all you need.
I am just facing one issue, that i am not sure about, if it is intended or if i might be doing something wrong.
I am having 2 apps, with a frontend and a backend each, running under different hosts.
These are handled in an apisisx-instance together with keycloak as idp and oidc-plugin.
my keycloak has 2 different clients, one for App A and one for App B.
I defined rules in apisix, to use the corresponding client-id and client-secret according to path and host.
So something like that:
The behaviour i would have expected here, is that when logging into A, a session for A is created. And when accessing B, apisix would recognize that this is a different app with a different client and different session secret, and therefor the session from A should not be applied here and another login is enforced when accessing web2.
Instead i am simply also already logged in against B with the user from A.
The only way i can think of atm, to overcome this is running one apisix instance per application, but thats propably not how it should be.. So what i would like to have, is that a session is only valid for the client, we used for login, or some other way to configure the scope of session-validity. Easiest way would be to propably simply define the session-cookie name, that is checked against. As far as i can see cookies always identify like "session=", and if something like that is found, it is simply treated as authenticated. Using different session-secrets also didnt do the job.
So am i missing something here, or is this intended? And if not, could this be added? Would be a really helpful feature :)
Best regards
Robert
The text was updated successfully, but these errors were encountered: