When attempting to access the second tenant, the user should be prompted to log in again since the second tenant is secured with different OIDC configuration (e.g., with a different Keycloak realm). The underlying issue is a bug in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.