Multiple providers on same host

[brandonk10]

I have 2 realms working fine on the same virtual host, at least independently. If I log into one, any directory protected by the other fails as unauthorized. This is because they, by default, share the same session cookie. OIDCCookie is configurable at the directory level. However, unless I missed a step, all providers need to share the same redirect_uri, which is only at virtual host level. Its the redirect_uri that actually sets the session cookie. I'm probably missing something here, but, if not, would it make sense to allow redirect_uri to be configured/overridden at directory level or in the metadata configuration?

[zandbelt]

yes, the redirect URI would be the same for both providers; why would you need to be logged in at 2 providers at the same time?

[brandonk10]

users just get URLs, they won't know to use new session tabs, etc. their experience would be in the same browser. Admittedly, this is not a common use case on the same host.

[zandbelt]

then you'd have to use different vhosts

[brandonk10]

I understand this is how the module currently operates. Is there any philosophical objection to allowing redirect_uri at the provider level?

[studersi]

Just as an FYI: We have had similar use cases in the past with CAS authentication: apereo/mod_auth_cas#160. So it might not be that uncommon.

[brandonk10]

FWIW, I'm working on a fork for changes to allow some of these items at directory level. I'm not sure if provider-level config would work - it seems like redirect_uri is needed in the flow before the provider is determined. Right now, the only thing I haven't figured out is where to perform the configuration validation as there is no post_config hook for directory-level configuration. I'm hooking content handler now, but I think that is too late in the flow.