RobWagMLP opened a new issue, #11229: URL: https://github.com/apache/apisix/issues/11229
### Description Hi, first of all, thanks a lot for that great piece of software. So far the only open source gateway that has (almost) all you need. I am just facing one issue, that i am not sure about, if it is intended or if i might be doing something wrong. I am having 2 apps, with a frontend and a backend each, running under different hosts. These are handled in an apisisx-instance together with keycloak as idp and oidc-plugin. my keycloak has 2 different clients, one for App A and one for App B. I defined rules in apisix, to use the corresponding client-id and client-secret according to path and host. So something like that: ``` - uri: /web/app1 hosts: - app1.mydomain.de plugins: openid-connect: client_id: ${client_id_a} client_secret: ${client_secret_a} discovery: {kc_uri}/realms/{kc_realm}/.well-known/openid-configuration realm: {kc_realm} unauth_action: auth logout_path: /logout session: secret: ${session_secret_a} upstream: type: roundrobin discovery_type: dns nodes: "internal-web.domain.node_a": 1 1- uri: /api/* hosts: - app1.mydomain.de plugins: openid-connect: client_id: ${client_id_a} client_secret: ${client_secret_a} discovery: {kc_uri}/realms/{kc_realm}/.well-known/openid-configuration realm: {kc_realm} unauth_action: deny logout_path: /logout session: secret: ${session_secret_a} upstream: type: roundrobin discovery_type: dns nodes: "internal-api.domain.node_a": 1 - uri: /web/app2 hosts: - app2.mydomain.de plugins: openid-connect: client_id: ${client_id_b} client_secret: ${client_secret_b} discovery: {kc_uri}/realms/{kc_realm}/.well-known/openid-configuration realm: {kc_realm} unauth_action: auth session: secret: ${session_secret_b} upstream: type: roundrobin discovery_type: dns nodes: "internal-web.domain.node_b": 1 1- uri: /api/* hosts: hosts: - app2.mydomain.de plugins: openid-connect: client_id: ${client_id_b} client_secret: ${client_secret_b} discovery: {kc_uri}/realms/{kc_realm}/.well-known/openid-configuration realm: {kc_realm} unauth_action: deny session: secret: ${session_secret_b} upstream: type: roundrobin discovery_type: dns nodes: "internal-api.domain.node_b": 1 ``` The behaviour i would have expected here, is that when logging into A, a session for A is created. And when accessing B, apisix would recognize that this is a different app with a different client and different session secret, and therefor the session from A should not be applied here and another login is enforced when accessing web2. Instead i am simply also already logged in against B with the user from A. The only way i can think of atm, to overcome this is running one apisix instance per application, but thats propably not how it should be.. So what i would like to have, is that a session is only valid for the client, we used for login, or some other way to configure the scope of session-validity. Easiest way would be to propably simply define the session-cookie name, that is checked against. As far as i can see cookies always identify like "session=", and if something like that is found, it is simply treated as authenticated. Using different session-secrets also didnt do the job. So am i missing something here, or is this intended? And if not, could this be added? Would be a really helpful feature :) Best regards Robert -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org