support login with OIDC session management

[zandbelt]

As discussed on the mailing list:
https://groups.google.com/forum/#!topic/mod_auth_openidc/MxXP1YtKQFw

I'm using OIDC session management with Keycloak following the instructions at https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management
I have no problem as far as logout is concerned. As soon as a logout is initiated from either the RP (mod_auth_oidc) or the OP (keycloak) the other party follow suit.

I expected this behavior also to trigger a login. As written in the specs the OP iframe "captures meaningful events such as logins, logouts, change of user, change of authentication status for Clients being used by the End-User, etc.". This does not work and, after a little investigation, I noticed that if a session is not already initiated, the src of the 2 iframes is served by mod_auth_oidc as a 404.
That is, the <redirect_uri>?session=iframe_... produces the expected output (the RP iframe and a redirect to the OP iframe coming from Keycloak) only when a session already exists. I tried to bypass this behavior by feeding the iframes with the same content even when session is not open yet, and magically everything worked! That is, as soon as I logged into Keycloak with another app, the RP iframe received a "changed" message and mod_auth_oidc triggered the correct redirect sequence to open a session.

I don't understand this behavior. Is there a reason for mod_auth_oidc to return a 404 instead of the expected iframe src? If yes, what other mechanism should trigger a login when there is a session change from "not logged" in to "logged in"?

[zandbelt]

now released in 2.4.1