RobWagMLP opened a new issue, #11229:
URL: https://github.com/apache/apisix/issues/11229
### Description
Hi,
first of all, thanks a lot for that great piece of software. So far the only
open source gateway that has (almost) all you need.
I am just facing one issue, that i am not sure about, if it is intended or
if i might be doing something wrong.
I am having 2 apps, with a frontend and a backend each, running under
different hosts.
These are handled in an apisisx-instance together with keycloak as idp and
oidc-plugin.
my keycloak has 2 different clients, one for App A and one for App B.
I defined rules in apisix, to use the corresponding client-id and
client-secret according to path and host.
So something like that:
```
- uri: /web/app1
hosts:
- app1.mydomain.de
plugins:
openid-connect:
client_id: ${client_id_a}
client_secret: ${client_secret_a}
discovery:
{kc_uri}/realms/{kc_realm}/.well-known/openid-configuration
realm: {kc_realm}
unauth_action: auth
logout_path: /logout
session:
secret: ${session_secret_a}
upstream:
type: roundrobin
discovery_type: dns
nodes:
"internal-web.domain.node_a": 1
1- uri: /api/*
hosts:
- app1.mydomain.de
plugins:
openid-connect:
client_id: ${client_id_a}
client_secret: ${client_secret_a}
discovery:
{kc_uri}/realms/{kc_realm}/.well-known/openid-configuration
realm: {kc_realm}
unauth_action: deny
logout_path: /logout
session:
secret: ${session_secret_a}
upstream:
type: roundrobin
discovery_type: dns
nodes:
"internal-api.domain.node_a": 1
- uri: /web/app2
hosts:
- app2.mydomain.de
plugins:
openid-connect:
client_id: ${client_id_b}
client_secret: ${client_secret_b}
discovery:
{kc_uri}/realms/{kc_realm}/.well-known/openid-configuration
realm: {kc_realm}
unauth_action: auth
session:
secret: ${session_secret_b}
upstream:
type: roundrobin
discovery_type: dns
nodes:
"internal-web.domain.node_b": 1
1- uri: /api/*
hosts:
hosts:
- app2.mydomain.de
plugins:
openid-connect:
client_id: ${client_id_b}
client_secret: ${client_secret_b}
discovery:
{kc_uri}/realms/{kc_realm}/.well-known/openid-configuration
realm: {kc_realm}
unauth_action: deny
session:
secret: ${session_secret_b}
upstream:
type: roundrobin
discovery_type: dns
nodes:
"internal-api.domain.node_b": 1
```
The behaviour i would have expected here, is that when logging into A, a
session for A is created. And when accessing B, apisix would recognize that
this is a different app with a different client and different session secret,
and therefor the session from A should not be applied here and another login is
enforced when accessing web2.
Instead i am simply also already logged in against B with the user from A.
The only way i can think of atm, to overcome this is running one apisix
instance per application, but thats propably not how it should be.. So what i
would like to have, is that a session is only valid for the client, we used for
login, or some other way to configure the scope of session-validity. Easiest
way would be to propably simply define the session-cookie name, that is checked
against. As far as i can see cookies always identify like "session=", and if
something like that is found, it is simply treated as authenticated. Using
different session-secrets also didnt do the job.
So am i missing something here, or is this intended? And if not, could this
be added? Would be a really helpful feature :)
Best regards
Robert
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
