Skip to content
This repository was archived by the owner on Dec 24, 2023. It is now read-only.

The session is valid for multiple realms, how to avoid that? #22

Open
carlosrmendes opened this issue Oct 3, 2021 · 3 comments
Open

The session is valid for multiple realms, how to avoid that? #22

carlosrmendes opened this issue Oct 3, 2021 · 3 comments

Comments

@carlosrmendes
Copy link

carlosrmendes commented Oct 3, 2021
edited
Loading

I'm running into an issue where a session created on one realm is not restricted from accessing resources on a different realm for which the session should not be valid.

I've setup kong routes aligning with two keycloak realms like so:

/realm1/app/
/realm2/app/

Each realm has it's own OIDC client with unique keys/ name /client secret. I then add the related kong-oidc to each route.

Accessing /realm1/app I'm redirected properly to the realm1 login, and similarly for realm2. However, if I'm logged into realm1 with an active session, I can still access /realm2/app. Looking at the app logs, the active session when accessing realm2 is still for realm1.

Am I missing some crucial setting?
@cristichiru
Copy link

cristichiru commented Oct 5, 2021
edited
Loading

I am not sure the python method you used handles session cookies like a browser. The session cookie name is oidc_session by default, can be changed by setting Kong runtime env KONG_X_SESSION_NAME=oidc_session
It should be bound to domain/path.

Did not use the plugin so far in the way you are trying. Programatically I would not use it like that unless you want to simulate user behavior in user-agent (browser).

In the browser, accessing resources from realm1 will redirect to login the first time.
If in the same browser session I am accessing a resource from realm2, will prompt me again to login, to the 2nd realm. We actually have this use case. and works as expected

@carlosrmendes
Copy link
Author

carlosrmendes commented Oct 7, 2021
edited
Loading

hi @cristichiru , first of all thanks for your concern! 🙂

Forget the python part... no I'm using the kong helm chart, that deploy kong-ingress-controller and using the image revomatico/docker-kong-oidc:2.6.0-1.

Then I create two oidc plugins, for two different realms, master and myrealm:

kind: KongClusterPlugin
apiVersion: configuration.konghq.com/v1
metadata:
  name: oidc-master
  annotations:
    kubernetes.io/ingress.class: kong
plugin: oidc
config:
  client_id: master-client
  client_secret: xxxxxxx-xxxxx-xxxxxx-xxx-xxxxx
  realm: master
  scope: openid
  discovery: https://my.example.com/auth/realms/master/.well-known/openid-configuration
  introspection_endpoint: https://my.example.com/auth/realms/master/protocol/openid-connect/token/introspect
---
kind: KongClusterPlugin
apiVersion: configuration.konghq.com/v1
metadata:
  name: oidc-myrealm
  annotations:
    kubernetes.io/ingress.class: kong
plugin: oidc
config:
  client_id: myrealm-client
  client_secret: xxxxxxx-xxxxx-xxxxxx-xxx-xxxxx
  realm: myrealm
  scope: openid
  discovery: https://my.example.com/auth/realms/myrealm/.well-known/openid-configuration
  introspection_endpoint: https://my.example.com/auth/realms/myrealm/protocol/openid-connect/token/introspect

then I enable each oidc plugin on the respective ingress (route):

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: master-ingress
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/protocols: https
    konghq.com/plugins: oidc-master
spec:
  rules:
  - host: my.example.com
    http:
      paths:
      - path: /master
        pathType: ImplementationSpecific
        backend:
          service:
            name: master-svc
            port:
              name: http
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: myrealm-ingress
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/protocols: https
    konghq.com/plugins: oidc-myrealm
spec:
  rules:
  - host: my.example.com
    http:
      paths:
      - path: /myrealm
        pathType: ImplementationSpecific
        backend:
          service:
            name: myrealm-svc
            port:
              name: http

Checking on kong api, I can confirm that both plugins are enabled on each route.
Accessing on both routes, without an active session, I'm being redirected to the correct realm login page, but, if I'm logged into master realm with an active session, I can still access /myrealm endpoint, without being prompt to login on realm myrealm.

So:

In the browser, accessing resources from realm1 will redirect to login the first time.
If in the same browser session I am accessing a resource from realm2, will prompt me again to login, to the 2nd realm. We actually have this use case. and works as expected

Is not true in my use case.

@carlosrmendes
Copy link
Author

carlosrmendes commented Oct 7, 2021
edited
Loading

Just a note, this behavior is occurring both with session_storage: cookie and session_storage: memcache

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carlosrmendes @cristichiru