kolla-ansible

  1. Bug #1931293
  2. Comment #0

Comment 0 for bug 1931293

Revision history for this message
Will Szumski (willjs) wrote :

Steps to reproduce:

- Setup multiple identity providers as per kolla-ansible docs
- Log into horizon via first identity provider
- log out of horizon
- Try an login into another identity provider
- Hit: {"error":{"code":403,"message":"You are not authorized to perform the requested action.","title":"Forbidden"}} on keystone endpoint e.g: http://10.60.253.141:5000/v3/auth/OS-FEDERATION/identity_providers/test/protocols/openid/websso?origin=http://10.60.253.141/auth/websso/

These seems to be because the mod_auth_openidc_session cookie collides for two identity providers. I haven't managed to come up with a better workaround than to set a timeout on the session cookie:

OIDCSessionMaxDuration 15

This invalidates the mod_auth_openidc_session cookie. You still remain logged into horizon and the identity provider.

Here is a relevant bug report:

https://github.com/zmartzone/mod_auth_openidc/issues/66