| 2021-06-08 18:01:04 |
Will Szumski |
description |
Steps to reproduce:
- Setup multiple identity providers as per kolla-ansible docs
- Log into horizon via first identity provider
- log out of horizon
- Try an login into another identity provider
- Hit: {"error":{"code":403,"message":"You are not authorized to perform the requested action.","title":"Forbidden"}} on keystone endpoint e.g: http://10.60.253.141:5000/v3/auth/OS-FEDERATION/identity_providers/test/protocols/openid/websso?origin=http://10.60.253.141/auth/websso/
These seems to be because the mod_auth_openidc_session cookie collides for two identity providers. I haven't managed to come up with a better workaround than to set a timeout on the session cookie:
OIDCSessionMaxDuration 15
This invalidates the mod_auth_openidc_session cookie. You still remain logged into horizon and the identity provider.
Here is a relevant bug report:
https://github.com/zmartzone/mod_auth_openidc/issues/66 |
Steps to reproduce:
- Setup multiple identity providers as per kolla-ansible docs
- Log into horizon via first identity provider
- log out of horizon
- Try an login into another identity provider
- Hit: {"error":{"code":403,"message":"You are not authorized to perform the requested action.","title":"Forbidden"}} on keystone endpoint e.g: http://10.60.253.141:5000/v3/auth/OS-FEDERATION/identity_providers/test/protocols/openid/websso?origin=http://10.60.253.141/auth/websso/
These seems to be because the mod_auth_openidc_session cookie collides for two identity providers. I haven't managed to come up with a better workaround than to set a timeout on the session cookie:
OIDCSessionMaxDuration 15
This invalidates the mod_auth_openidc_session cookie. You still remain logged into horizon and the identity provider.
Here is a relevant bug report:
https://github.com/zmartzone/mod_auth_openidc/issues/66
Looking for some suggestions for a proper fix. |
|
