Session valid for multiple realms.

[shawnsarwar]

I'm running into an issue where a session created on one realm is not restricted from accessing resources on a different realm for which the session should not be valid.

I've setup kong routes aligning with two keycloak realms like so:

/realm1/app/ /realm2/app/

Each realm has it's own OIDC client with unique keys/ name /client secret. I then add kong-oidc to each route with a configuration like:

discovery_path = f'{KEYCLOAK_URL}realms/{realm}/.well-known/openid-configuration'
introspection_path = f'{KEYCLOAK_URL}realms/{realm}/protocol/openid-connect/token/introspect'
data = {
        'name': 'oidc',
        'config.client_id': f'{realm}-oidc',
        'config.client_secret': client_secrets[realm],
        'config.introspection_endpoint': introspection_path,
        'config.discovery': discovery_path,
        'config.realm': realm
    }
confirmation = __post(url=f'{KONG_URL}/routes/{protected_route_id}/plugins', data=data)

Accessing /realm1/app I'm redirected properly to the realm1 login, and similarly for realm2. However, if I'm logged into realm1 with an active session, I can still access /realm2/app. Looking at the app logs, the active session when accessing realm2 is still for realm1.

Am I missing some crucial setting?

[shawnsarwar]

Any thoughts on this?

[carlosrmendes]

any update regarding this issue?

[carlosrmendes]

@shawnsarwar, have you found any workarounds for this?

[shawnsarwar]

Hey @carlosrmendes. I was a bad community members and forked the crap out of it, then didn't try to patch upstream. Still not sure if it's a bug, but it wasn't what we wanted so I fixed it. https://github.com/eHealthAfrica/kong-oidc-auth

FYI, I no longer work there and this is the only time I've worked with LUA so please do give it a once over before you put any state secrets behind the fork.