Open shawnsarwar opened 5 years ago
Any thoughts on this?
any update regarding this issue?
@shawnsarwar, have you found any workarounds for this?
Hey @carlosrmendes. I was a bad community members and forked the crap out of it, then didn't try to patch upstream. Still not sure if it's a bug, but it wasn't what we wanted so I fixed it. https://github.com/eHealthAfrica/kong-oidc-auth
FYI, I no longer work there and this is the only time I've worked with LUA so please do give it a once over before you put any state secrets behind the fork.
I'm running into an issue where a session created on one realm is not restricted from accessing resources on a different realm for which the session should not be valid.
I've setup kong routes aligning with two keycloak realms like so:
/realm1/app/
/realm2/app/
Each realm has it's own OIDC client with unique keys/ name /client secret. I then add kong-oidc to each route with a configuration like:
Accessing
/realm1/app
I'm redirected properly to therealm1
login, and similarly forrealm2
. However, if I'm logged intorealm1
with an active session, I can still access/realm2/app
. Looking at the app logs, the active session when accessingrealm2
is still forrealm1
.Am I missing some crucial setting?