These seems to be because the mod_auth_openidc_session cookie collides for two identity providers. I haven't managed to come up with a better workaround than to set a timeout on the session cookie:
OIDCSessionMaxDuration 15
This invalidates the mod_auth_openidc_session cookie. You still remain logged into horizon and the identity provider.
Steps to reproduce:
- Setup multiple identity providers as per kolla-ansible docs :{"code" :403,"message" :"You are not authorized to perform the requested action. ","title" :"Forbidden" }} on keystone endpoint e.g: http:// 10.60.253. 141:5000/ v3/auth/ OS-FEDERATION/ identity_ providers/ test/protocols/ openid/ websso? origin= http:// 10.60.253. 141/auth/ websso/
- Log into horizon via first identity provider
- log out of horizon
- Try an login into another identity provider
- Hit: {"error"
These seems to be because the mod_auth_ openidc_ session cookie collides for two identity providers. I haven't managed to come up with a better workaround than to set a timeout on the session cookie:
OIDCSessionMaxD uration 15
This invalidates the mod_auth_ openidc_ session cookie. You still remain logged into horizon and the identity provider.
Here is a relevant bug report:
https:/ /github. com/zmartzone/ mod_auth_ openidc/ issues/ 66