mod_auth_openidc_session collision with multiple identity providers

Bug #1931293 reported by Will Szumski
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Triaged
Medium
Unassigned
Wallaby
New
Medium
Unassigned
Xena
Triaged
Medium
Unassigned

Bug Description

Steps to reproduce:

- Setup multiple identity providers as per kolla-ansible docs
- Log into horizon via first identity provider
- log out of horizon
- Try an login into another identity provider
- Hit: {"error":{"code":403,"message":"You are not authorized to perform the requested action.","title":"Forbidden"}} on keystone endpoint e.g: http://10.60.253.141:5000/v3/auth/OS-FEDERATION/identity_providers/test/protocols/openid/websso?origin=http://10.60.253.141/auth/websso/

These seems to be because the mod_auth_openidc_session cookie collides for two identity providers. I haven't managed to come up with a better workaround than to set a timeout on the session cookie:

OIDCSessionMaxDuration 15

This invalidates the mod_auth_openidc_session cookie. You still remain logged into horizon and the identity provider.

Here is a relevant bug report:

https://github.com/zmartzone/mod_auth_openidc/issues/66

Looking for some suggestions for a proper fix.

Will Szumski (willjs)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.