Skip to content

Commit cf92173

Browse files
jageeevallesp
jagee
authored and
evallesp
committed
Update federation multirealm httpd template
This patch will resolve horizon OIDC users running into issues when logging out as one IDP user and then trying to login with a user from a different IDP before the first users OIDC session times out.
1 parent 4913ce2 commit cf92173

File tree

1 file changed

+18
-23
lines changed

1 file changed

+18
-23
lines changed

roles/federation/templates/federation-multirealm.conf.j2

Lines changed: 18 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -7,34 +7,29 @@ OIDCPassClaimsAs "{{ cifmw_federation_keystone_OIDC_PassClaimsAs }}"
77
OIDCCryptoPassphrase "{{ cifmw_federation_keystone_OIDC_CryptoPassphrase }}"
88
OIDCMetadataDir "/var/lib/httpd/metadata"
99
OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/redirect_uri"
10-
LogLevel debug
10+
OIDCAuthRequestParams "prompt=login"
11+
LogLevel rewrite:trace3 auth_openidc:debug
1112

12-
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_federation_IdpName }}/protocols/openid/websso">
13-
AuthType "openid-connect"
14-
Require valid-user
15-
</LocationMatch>
13+
<IfModule headers_module>
14+
<Location "/v3/local-logout/clear">
15+
Header always add Set-Cookie "mod_auth_openidc_session=deleted; Path=/; Max-Age=0; HttpOnly; Secure; SameSite=None"
16+
</Location>
17+
</IfModule>
1618

17-
<Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_federation_IdpName }}/protocols/openid/auth">
18-
AuthType oauth20
19-
Require valid-user
20-
</Location>
19+
RewriteEngine On
2120

22-
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_federation_IdpName2 }}/protocols/openid/websso">
23-
AuthType "openid-connect"
24-
Require valid-user
25-
</LocationMatch>
21+
RewriteRule ^/v3/auth/OS-FEDERATION/identity_providers/({{ cifmw_federation_IdpName }}|{{ cifmw_federation_IdpName2 }})/protocols/openid/websso$ \
22+
/v3/local-logout/clear [R=302,L]
2623

27-
<Location ~ "/v3/OS-FEDERATION/identity_providers/{{ cifmw_federation_IdpName2 }}/protocols/openid/auth">
28-
AuthType oauth20
29-
Require valid-user
30-
</Location>
24+
RewriteRule ^/v3/local-logout/clear$ \
25+
/v3/auth/OS-FEDERATION/websso/openid [R=302,L,QSA,NE]
3126

32-
<Location ~ "/redirect_uri">
33-
Require valid-user
27+
<Location "/v3/auth/OS-FEDERATION/websso/openid">
3428
AuthType openid-connect
29+
Require valid-user
3530
</Location>
3631

37-
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
38-
AuthType "openid-connect"
39-
Require valid-user
40-
</LocationMatch>
32+
<Location "/v3/redirect_uri">
33+
AuthType openid-connect
34+
Require valid-user
35+
</Location>

0 commit comments

Comments
 (0)