When attempting to access the second tenant, the user should be prompted to log in again since the second tenant is secured with different OIDC configuration (e.g., with a different Keycloak realm).

The underlying issue is a bug in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.

See https://access.redhat.com/security/cve/CVE-2023-6236.