openidc / liboauth2 Goto Github PK

Hello,
I'm using this great library in other environment than apache/nginx (https://bitbucket.org/account/user/yuneta/projects/YUNETA).
I can't update to last version (using version 1.0.0) because encapsulating oauth2_log_sink_t.
Please, can be possible make oauth2_log_sink_t public?
Thanks
Niyamaka

I want to use this library for OAuth, it would be good if there is a sample/reference/and so on.
Regards

Minimal Ubuntu 22.04 installation instructions.

git clone https://github.com/akheron/jansson && \
cd jansson  && \
autoreconf -i && \
./configure && \
make && \
sudo make install

# OpenSSL > 3.0 will show these as errors
# jws.c:446:5: warning: ‘RSA_size’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
# so pass --disable-werror

git clone https://github.com/cisco/cjose.git && \
cd cjose && \
./configure --disable-werror --with-openssl=/usr/local --with-jansson=/usr/local && \
sudo make install

# There did not seem to be a way to disable
# configure: error: "apxs not found. Use --with-apxs"
# without first installing the following package:
sudo apt install apache2-dev

git clone https://github.com/OpenIDC/liboauth2 && \
cd liboauth2 && \
./autogen.sh && \
./configure && \
make && \
sudo make install

The wiki page mentioned in the community support paragraphs redirects to the project page: https://github.com/zmartzone/liboauth2

Is there any documentation available somewhere to describe the API for developers?

When building liboauth2 on armv7hl on Fedora Rawhide, I get tests to crash reliably with SIGBUS. ARMv7 is known to be very sensitive to unaligned memory access and Linux kernel issues bus error for these problems.

The following scratch build shows a problem: https://koji.fedoraproject.org/koji/watchlogs?taskID=66315687 (scroll down to the end). Sadly, I don't have 32-bit ARMv7 locally so cannot reproduce these issues myself.

The log of the scratch build will disappear in 14 days or so.

Could you provide MSYS2 package?
thanks in advanced.

When running make test after building liboauth2 on 64-bit SPARC (niagara4) on Solaris 10 with gcc 5.5.0, several tests dump core with a SIGBUS error. As SPARC is sensitive to alignment issues, I expect that this is a platform-specific issue.

The test-suite.log output file is attached, along with the 'make test' stdout/stderr output for the test run.
test-suite.log
gmake_test_out.txt

The stack trace from the final test (test/check_openidc.c:1004:E:core:test_openidc_state_cookie:0:) is attached as gdb_core.txt. (Unfortunately, the final core file overwrote the previous core files.)
gdb_core.txt

I'm happy to provide any additional information on this issue, and any further assistance to help resolve this.

Thank you very much for this great library.
Thank you very much for answering my previous question so fast!

Hopefully you have another hint for me ...

i recently got a coredump in our server (threaded c++ based on ms c++ restsdk).
am sorry ... but i am not able to provide any values here ... as the binary was stripped (sorry).
so i am not sure which of the two oauth2_log in oauth2_cache_get went wrong. (probably the second .. as it is dependent on the cache .. this is why i asked about thread-safety ... )

the server was running fine before this for 5 days .

any help is appreciated....

#0  0x00002b12c3ee5641 in vfprintf () from /lib64/libc.so.6
[Current thread is 1 (Thread 0x2b12c5625700 (LWP 22208))]
Missing separate debuginfos, use: zypper install glibc-debuginfo-2.22-114.8.3.x86_64
(gdb) where
#0  0x00002b12c3ee5641 in vfprintf () from /lib64/libc.so.6
#1  0x00002b12c3f0e3d3 in vasprintf () from /lib64/libc.so.6
#2  0x00002b12c245c4c4 in oauth2_log () from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsoauth.so.214.0
#3  0x00002b12c244c63d in oauth2_cache_get ()
   from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsoauth.so.214.0
#4  0x00002b12c245b55d in oauth2_jose_resolve_from_uri ()
   from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsoauth.so.214.0
#5  0x00002b12c245b63a in ?? () from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsoauth.so.214.0
#6  0x00002b12c2459d48 in oauth2_jose_jwt_verify ()
   from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsoauth.so.214.0
#7  0x00002b12c245db0a in oauth2_token_verify ()
   from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsoauth.so.214.0
#8  0x00002b12bfdf62e8 in TokenValidator::validate_token_with_jwks_uri(oauth2_log_t*, std::string const&, std::string const&) () from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsrest.so.214.0
#9  0x00002b12bfdf7616 in TokenValidator::validate_token(std::string const&) ()
   from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsrest.so.214.0
#10 0x00002b12bfdaa442 in dora::rest::RESTServer::dispatch(web::http::http_request) ()
   from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsrest.so.214.0
#11 0x00002b12bfdb3d28 in std::_Function_handler<void (web::http::http_request), std::_Bind<void (dora::rest::RESTServer::*(dora::rest::RESTServer*, std::_Placeholder<1>))(web::http::http_request)> >::_M_invoke(std::_Any_data const&, web::http::http_request&&) () from /appl/local/carmen/carmena4/lib/A214DOR/libdor_appsrest.so.214.0
#12 0x00002b12c03edec7 in web::http::experimental::listener::details::http_listener_impl::handle_request(web::http::http_request) () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#13 0x00002b12c04e60b1 in ?? () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#14 0x00002b12c04ec4a0 in ?? () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#15 0x00002b12c04ed2cf in ?? () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#16 0x00002b12c04ed619 in ?? () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#17 0x00002b12c04ee5da in ?? () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#18 0x00002b12c04360df in boost::asio::detail::epoll_reactor::descriptor_state::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) ()
   from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#19 0x00002b12c043e2af in boost::asio::detail::scheduler::run(boost::system::error_code&) ()
   from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#20 0x00002b12c04b15e9 in ?? () from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#21 0x00002b12c042a51f in boost_asio_detail_posix_thread_function ()
   from /appl/local/carmen/carmena4/lib/A214INT/libcpprest.so.2.10
#22 0x00002b12c267f6da in start_thread () from /lib64/libpthread.so.0
#23 0x00002b12c3f882cd in clone () from /lib64/libc.so.6

While trying to build liboauth2 for Debian unstable with gcc 10, I have the following compiling error:

In function 'oauth2_strndup',
    inlined from 'oauth2_strdup' at src/util.c:545:9:
src/util.c:535:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
  535 |  strncpy(dst, src, len);
      |  ^~~~~~~~~~~~~~~~~~~~~~
src/util.c: In function 'oauth2_strdup':
src/util.c:545:35: note: length computed here
  545 |  return oauth2_strndup(src, src ? strlen(src) : 0);
      |                                   ^~~~~~~~~~~
In function 'oauth2_strndup',
    inlined from 'oauth2_strdup' at src/util.c:545:9,
    inlined from '_oauth2_stradd4' at src/util.c:555:9:
src/util.c:535:2: error: 'strncpy' destination unchanged after copying no bytes [-Werror=stringop-truncation]
  535 |  strncpy(dst, src, len);
      |  ^~~~~~~~~~~~~~~~~~~~~~
In function 'oauth2_strndup',
    inlined from 'oauth2_strdup' at src/util.c:545:9,
    inlined from 'oauth2_nv_list2s' at src/util.c:611:14:
src/util.c:535:2: error: 'strncpy' output truncated before terminating nul copying 1 byte from a string of the same length [-Werror=stringop-truncation]
  535 |  strncpy(dst, src, len);
      |  ^~~~~~~~~~~~~~~~~~~~~~

A quick workaround is to replace strncpy with memcpy on src/util.c:545 or to disable the warning just for this case:

#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wstringop-truncation"
    strncpy(dst, src, len);
#pragma GCC diagnostic pop

Hallo,

When trying to switch from the OIDC module to the Oauth2 one we noticed that the post to the introspection endpoint included a new parameter in the data, token_type_hint, for example:

[auth_openidc:debug] [pid 2770419] src/util.c(689): [client 192.168.151.125:60374] oidc_util_http_call: url=https://endpoint.xx/oauth2/introspect, data=token=5bc8e5a9-8110-3c50-8559-b2f1852bd815, content_type=application/x-www-form-urlencoded, basic_auth=name:pass, bearer_token=(null), ssl_validate_server=1, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null)
vs
[oauth2:debug] [pid 2770067] src/http.c(979): [client 192.168.151.60:49988] oauth2_http_call: enter: url=https://endpoint.xx/oauth2/introspect, data=token=5bc8e5a9-8110-3c50-8559-b2f1852bd815&token_type_hint=access_token, ctx=[ ssl_verify=true basic_auth_username=name basic_auth_password=password hdr=[ Content-Type=application/x-www-form-urlencoded ] cookie=[ ] ]

Looking at the token this type is set wrong and thus denies access. When recreating the post request with curl but changing this to bearer solves the issue:

curl -XPOST -u 'name:password' -H 'content_type: application/x-www-form-urlencoded' https://endpoint.xx/oauth2/introspect -d 'token=5bc8e5a9-8110-3c50-8559-b2f1852bd815&token_type_hint=bearer'
{"scope":"openid","active":true,"token_type":...

When rebuilding the liboauth2 with the value for OAUTH2_INTROSPECT_TOKEN_TYPE_HINT_ACCESS_TOKEN set to bearer it also fixes our issue. Is there a way to configure the value for this without having to change it in code, if not, are there any plans to make this possible?

Just a tiny typo fix: 'PKCE' was mis-spelled 'PCKE' in one place.

$ grep -ri pcke .
README.md:- Proof Key for Code Exchange (PCKE) by [...]

Feel free to fix manually, or pull it from my (not github) fork, as you prefer:

git pull https://lab.trax.im/fork/github/zmartzone/liboauth2.git typo-1

Thanks!

Hello,

During the Debian package build 1.5.1-1, the test fail for architecture arm64.

The error log is quite large, but there seems to be at least this error:

test/check_openidc.c:941:F:core:test_openidc_handle_cache:0: Assertion 'oauth2_http_response_status_code_get(_log, response) == 0' failed: oauth2_http_response_status_code_get(_log, response) == 302, 0 == 0

You can find the full build log here: https://buildd.debian.org/status/fetch.php?pkg=liboauth2&arch=arm64&ver=1.5.1-1&stamp=1687716199&raw=0

Any clue what it might be?

Hello,

I'm seeing occasional segfaults using liboauth2==1.4.5 and mod_oauth2==3.2.3 in a multithreaded environment. Apache info:

# httpd -V
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built:   Jun 15 2022 08:27:14
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)

3 stack traces from 3 different child processes:

Thread 267 "httpd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fb19f7fe700 (LWP 3066)]
0x00007fb36a02376d in hashtable_do_clear () from /usr/lib64/libjansson.so.4
(gdb) bt
#0  0x00007fb36a02376d in hashtable_do_clear () from /usr/lib64/libjansson.so.4
#1  0x00007fb36a02383d in hashtable_close () from /usr/lib64/libjansson.so.4
#2  0x00007fb36a029009 in json_delete () from /usr/lib64/libjansson.so.4
#3  0x00007fb36a45f87f in json_decref () from /usr/lib64/liboauth2.so.0
#4  0x00007fb36a46264e in oauth2_jose_jwt_header_peek () from /usr/lib64/liboauth2.so.0
#5  0x00007fb36a462e83 in oauth2_jose_jwt_verify () from /usr/lib64/liboauth2.so.0
#6  0x00007fb36a46b2fb in _oauth2_metadata_verify_callback () from /usr/lib64/liboauth2.so.0
#7  0x00007fb36a46bc53 in oauth2_token_verify () from /usr/lib64/liboauth2.so.0
#8  0x00007fb36a88d683 in oauth2_request_handler () from /etc/httpd/modules/mod_oauth2.so
#9  0x00005647faf15ca8 in ap_run_check_user_id ()
#10 0x00005647faf188fc in ap_process_request_internal ()
#11 0x00005647faf37840 in ap_process_async_request ()
#12 0x00005647faf33ce0 in ap_process_http_connection ()
#13 0x00005647faf2a0c8 in ap_run_process_connection ()
#14 0x00007fb36f984a47 in process_socket () from /etc/httpd/modules/mod_mpm_event.so
#15 0x00007fb36f9853ea in worker_thread () from /etc/httpd/modules/mod_mpm_event.so
#16 0x00007fb37ac6117a in start_thread () from /lib64/libpthread.so.0
#17 0x00007fb37a78cdc3 in clone () from /lib64/libc.so.6

Thread 197 "httpd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f80f9ffb700 (LWP 2968)]
0x00007f8180ecfbc6 in malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f8180ecfbc6 in malloc () from /lib64/libc.so.6
#1  0x00007f8170c0e6c2 in oauth2_mem_alloc () from /usr/lib64/liboauth2.so.0
#2  0x00007f8170c0ff72 in oauth2_strndup () from /usr/lib64/liboauth2.so.0
#3  0x00007f8170c1c4a4 in oauth2_jose_jwt_header_peek () from /usr/lib64/liboauth2.so.0
#4  0x00007f8170c1ce83 in oauth2_jose_jwt_verify () from /usr/lib64/liboauth2.so.0
#5  0x00007f8170c252fb in _oauth2_metadata_verify_callback () from /usr/lib64/liboauth2.so.0
#6  0x00007f8170c25c53 in oauth2_token_verify () from /usr/lib64/liboauth2.so.0
#7  0x00007f8171047683 in oauth2_request_handler () from /etc/httpd/modules/mod_oauth2.so
#8  0x00005573b5c63ca8 in ap_run_check_user_id ()
#9  0x00005573b5c668fc in ap_process_request_internal ()
#10 0x00005573b5c85840 in ap_process_async_request ()
#11 0x00005573b5c81ce0 in ap_process_http_connection ()
#12 0x00005573b5c780c8 in ap_run_process_connection ()
#13 0x00007f817613ea47 in process_socket () from /etc/httpd/modules/mod_mpm_event.so
#14 0x00007f817613f3ea in worker_thread () from /etc/httpd/modules/mod_mpm_event.so
#15 0x00007f818141b17a in start_thread () from /lib64/libpthread.so.0
#16 0x00007f8180f46dc3 in clone () from /lib64/libc.so.6

Thread 298 "httpd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7fdf7fe700 (LWP 3087)]
0x00007f8180ecfbc6 in malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f8180ecfbc6 in malloc () from /lib64/libc.so.6
#1  0x00007f817367590d in CRYPTO_zalloc () from /lib64/libcrypto.so.1.1
#2  0x00007f81736496d1 in EVP_DigestInit_ex () from /lib64/libcrypto.so.1.1
#3  0x00007f8170c19c3f in oauth2_jose_hash_bytes () from /usr/lib64/liboauth2.so.0
#4  0x00007f8170c1b901 in oauth2_jose_hash2s () from /usr/lib64/liboauth2.so.0
#5  0x00007f8170c2d7b9 in _oauth2_cache_hash_key () from /usr/lib64/liboauth2.so.0
#6  0x00007f8170c2daf9 in oauth2_cache_get () from /usr/lib64/liboauth2.so.0
#7  0x00007f8170c1ec59 in oauth2_jose_resolve_from_uri () from /usr/lib64/liboauth2.so.0
#8  0x00007f8170c1ee1f in _oauth2_jose_jwks_resolve_from_uri () from /usr/lib64/liboauth2.so.0
#9  0x00007f8170c1ee8d in oauth2_jose_jwks_uri_resolve () from /usr/lib64/liboauth2.so.0
#10 0x00007f8170c1cfa1 in oauth2_jose_jwt_verify () from /usr/lib64/liboauth2.so.0
#11 0x00007f8170c252fb in _oauth2_metadata_verify_callback () from /usr/lib64/liboauth2.so.0
#12 0x00007f8170c25c53 in oauth2_token_verify () from /usr/lib64/liboauth2.so.0
#13 0x00007f8171047683 in oauth2_request_handler () from /etc/httpd/modules/mod_oauth2.so
#14 0x00005573b5c63ca8 in ap_run_check_user_id ()
#15 0x00005573b5c668fc in ap_process_request_internal ()
#16 0x00005573b5c85840 in ap_process_async_request ()
#17 0x00005573b5c81ce0 in ap_process_http_connection ()
#18 0x00005573b5c780c8 in ap_run_process_connection ()
#19 0x00007f817613ea47 in process_socket () from /etc/httpd/modules/mod_mpm_event.so
#20 0x00007f817613f3ea in worker_thread () from /etc/httpd/modules/mod_mpm_event.so
#21 0x00007f818141b17a in start_thread () from /lib64/libpthread.so.0
#22 0x00007f8180f46dc3 in clone () from /lib64/libc.so.6

Seems oauth2_jose_jwt_verify() may be a commonality? Thank you in advance.

According to the example apache config, I can force strict issuer verification with the verify.iss=required option. However, when I set this option to required it fails, while it succeeds with optional.

My config looks like this:

OAuth2TokenVerify metadata https://<domain>/.well-known/openid-configuration metadata.ssl_verify=false&verify.iss=required

One interesting excerpt from the logs:

[Wed Apr 19 11:53:49.360956 2023] [oauth2:debug] [pid 110463:tid 140637177321216] src/jose.c(1040): [client 127.0.0.1:52514] _oauth2_jose_jwt_validate_iss: enter: iss=(null), validate=required

This suggests to me that the value of iss is not passed along.

I'm using KeyCloak as my IdP and verified that the iss field in token corresponds with the issuer field in the metadata.

Dear contributors,

For json parsing you are using the jansson, is there possible to have an option to use rapidjson for performance point of view

Sorry to ask, but I'm not too familar with OAuth2.0, and I'm not sure how to implement OAUTH2 into my program without getting a full understanding of some of the functions declared without digging through the src files myself. Are there possible man files? Thanks.

i am currently using your liboaut2 directly in a c++ based server.
so here the question:
is the library intended to be used in a threaded server without further synchronization ?
I am outhenticating against oauth2-server via:

oauth2_cfg_token_verify_add_options(_log, &verify, "jwks_uri", jwks_uri.data(), "verify.exp=required"); //"verify.exp=skip" //
bool rc = oauth2_token_verify(_log, NULL, verify, token.data(), &json_payload);
this code runs in worker thread.

i use the "builtin" caching of keys ..

Hello,

While building liboauh2 with openssl 3.0, the following warning shows up:

/bin/bash ./libtool  --tag=CC   --mode=compile gcc -DPACKAGE_NAME=\"liboauth2\" -DPACKAGE_TARNAME=\"liboauth2\" -DPACKAGE_VERSION=\"1.4.3.2\" -DPACKAGE_STRING=\"liboauth2\ 1.4.3.2\" -DPACKAGE_BUGREPORT=\"[email protected]\" -DPACKAGE_URL=\"\" -DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -I.  -Wall -Werror -Iinclude -Isrc   -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/x86_64-linux-gnu  -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -c -o src/liboauth2_la-jose.lo `test -f 'src/jose.c' || echo './'`src/jose.c
libtool: compile:  gcc -DPACKAGE_NAME=\"liboauth2\" -DPACKAGE_TARNAME=\"liboauth2\" -DPACKAGE_VERSION=\"1.4.3.2\" "-DPACKAGE_STRING=\"liboauth2 1.4.3.2\"" -DPACKAGE_BUGREPORT=\"[email protected]\" -DPACKAGE_URL=\"\" -DHAVE_STDIO_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_STRINGS_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -DSTDC_HEADERS=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -I. -Wall -Werror -Iinclude -Isrc -Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/x86_64-linux-gnu -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -c src/jose.c  -fPIC -DPIC -o src/.libs/liboauth2_la-jose.o
src/jose.c: In function ‘_oauth2_jose_options_jwk_set_rsa_key’:
src/jose.c:1586:9: error: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
 1586 |         rsa = EVP_PKEY_get1_RSA(pkey);
      |         ^~~
In file included from src/jose.c:35:
/usr/include/openssl/evp.h:1348:16: note: declared here
 1348 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
      |                ^~~~~~~~~~~~~~~~~

EVP_PKEY_get1_RSA is deprecated, but I don't see yet how to replace it in the code

We experienced Apache being killed (SIGSEGV), apparently due to this:
[Sun Dec 20 03:45:03.522921 2020] [oauth2:error] [pid 8085] oauth2_ipc_sema_post_config: sem_open() failed to create named semaphore /zzo-sema-8085.0x564b89a996e0: No space left on device (28)

It looks like oauth2_ipc_sema_post_config only frees the name before creating a new semaphore.

From the looks of it, a new semaphore file is created at least every 10 minutes, and there's 5 associated "sem.zzo" files created per main semaphore file. I don't see any old files getting cleaned up.

When configuring with

AuthType oauth2
OAuth2TargetPass remote_user_claim=appid
OAuth2TargetPass authn_header=myheader
Require valid-user

Everything works fine with the initial call, but the subsequent call fails with

oauth2_apache_set_request_user: remote user claim could not be found

I get the following debug output:

[Wed Jun 16 10:26:33.949565 2021] [oauth2:debug] [pid 119080] src/cache/shm.c(283): [client 10.8.225.116:53237] oauth2_cache_shm_get: not expired: b0d2ba31bb1...194b120df
[Wed Jun 16 10:26:33.949569 2021] [oauth2:debug] [pid 119080] src/cache/shm.c(309): [client 10.8.225.116:53237] oauth2_cache_shm_get: leave: 1
[Wed Jun 16 10:26:33.949573 2021] [oauth2:debug] [pid 119080] src/cache.c(318): [client 10.8.225.116:53237] oauth2_cache_get: leave: cache hit for key: https://adfs.drwholdings.com/adfs/discovery/keys return: 1496 bytes
[Wed Jun 16 10:26:33.949627 2021] [oauth2:debug] [pid 119080] src/jose.c(1932): [client 10.8.225.116:53237] oauth2_jose_resolve_from_uri: leave: {"keys":[{"kty":"RSA","use":"sig","alg":"RS256","kid":"Zl...o","x5t":"Zl...o","n":"oLpzVeOYlN3BDS9ZzJry...GdxH8\/iCwMRso8"]}]}
[Wed Jun 16 10:26:33.949764 2021] [oauth2:debug] [pid 119080] src/jose.c(805): [client 10.8.225.116:53237] _oauth2_jose_jwt_verify_jwk: enter: jws kid=ZldITKME80smHsCc_al8MypT-no, jwk kid=Zl...no
[Wed Jun 16 10:26:33.949900 2021] [oauth2:debug] [pid 119080] src/jose.c(816): [client 10.8.225.116:53237] _oauth2_jose_jwt_verify_jwk: cjose_jws_verify returned true
[Wed Jun 16 10:26:33.949911 2021] [oauth2:debug] [pid 119080] src/jose.c(824): [client 10.8.225.116:53237] _oauth2_jose_jwt_verify_jwk: leave: rc=1
[Wed Jun 16 10:26:33.949915 2021] [oauth2:debug] [pid 119080] src/jose.c(1185): [client 10.8.225.116:53237] oauth2_jose_jwt_verify: got plaintext (len=418): {"aud":"https://chhq-vudapex30.drwholdings.com/apex/okr_uat/aptest01/aptest01","iss":"http://adfs.drwholdings.com/adfs/services/trust","iat":1623857185,"nbf":1623857185,"exp":1623860785,"apptype":"Confidential","appid":"d2...21f3","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password","auth_time":"2021-06-16T15:26:25.168Z","ver":"1.0","scp":"openid"}
[Wed Jun 16 10:26:33.949973 2021] [oauth2:debug] [pid 119080] src/jose.c(1079): [client 10.8.225.116:53237] _oauth2_jose_jwt_payload_validate: enter
[Wed Jun 16 10:26:33.949980 2021] [oauth2:debug] [pid 119080] src/jose.c(916): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_iss: enter: iss=(null), validate=optional
[Wed Jun 16 10:26:33.949982 2021] [oauth2:debug] [pid 119080] src/jose.c(955): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_iss: leave: 1
[Wed Jun 16 10:26:33.949983 2021] [oauth2:debug] [pid 119080] src/jose.c(969): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_exp: enter: validate=optional
[Wed Jun 16 10:26:33.949986 2021] [oauth2:debug] [pid 119080] src/jose.c(993): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_exp: "exp"=1623860785, 3592 seconds from now
[Wed Jun 16 10:26:33.949988 2021] [oauth2:debug] [pid 119080] src/jose.c(1007): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_exp: leave: 1
[Wed Jun 16 10:26:33.949990 2021] [oauth2:debug] [pid 119080] src/jose.c(1025): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_iat: enter: validate=optional, slack_before=140028818751498, slack_after=140033113718783
[Wed Jun 16 10:26:33.949992 2021] [oauth2:debug] [pid 119080] src/jose.c(1067): [client 10.8.225.116:53237] _oauth2_jose_jwt_validate_iat: leave: 1
[Wed Jun 16 10:26:33.950037 2021] [oauth2:debug] [pid 119080] src/jose.c(1104): [client 10.8.225.116:53237] _oauth2_jose_jwt_payload_validate: leave: 1
[Wed Jun 16 10:26:33.950093 2021] [oauth2:debug] [pid 119080] src/jose.c(1205): [client 10.8.225.116:53237] oauth2_jose_jwt_verify: leave: 1
[Wed Jun 16 10:26:33.950105 2021] [oauth2:debug] [pid 119080] src/cache.c(339): [client 10.8.225.116:53237] oauth2_cache_set: enter: key=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlpsZElUS01FODBzbUhzQ2NfYWw4TXlwVC1ubyIsImtpZCI6IlpsZElU...Yc-T-_HPut4pw, len=418, ttl(s)=300, type=shm, encrypt=0
[Wed Jun 16 10:26:33.950112 2021] [oauth2:debug] [pid 119080] src/cache.c(260): [client 10.8.225.116:53237] _oauth2_cache_hash_key: enter: key=eyJ0eXAiOiJKV1QiL...c-T-_HPut4pw, algo=(null)
[Wed Jun 16 10:26:33.950117 2021] [oauth2:debug] [pid 119080] src/jose.c(116): [client 10.8.225.116:53237] oauth2_jose_hash_bytes: enter
[Wed Jun 16 10:26:33.950123 2021] [oauth2:debug] [pid 119080] src/jose.c(166): [client 10.8.225.116:53237] oauth2_jose_hash_bytes: leave: 1
[Wed Jun 16 10:26:33.950128 2021] [oauth2:debug] [pid 119080] src/cache.c(275): [client 10.8.225.116:53237] _oauth2_cache_hash_key: leave: hashed key: f440e63a06b1329580ffcbd9a131786eb8a8c645a95e8999f17d8fb8a28abc76
[Wed Jun 16 10:26:33.950131 2021] [oauth2:debug] [pid 119080] src/cache/shm.c(341): [client 10.8.225.116:53237] oauth2_cache_shm_set: enter
[Wed Jun 16 10:26:33.950218 2021] [oauth2:debug] [pid 119080] src/cache/shm.c(437): [client 10.8.225.116:53237] oauth2_cache_shm_set: leave: 1
[Wed Jun 16 10:26:33.950228 2021] [oauth2:debug] [pid 119080] src/cache.c(368): [client 10.8.225.116:53237] oauth2_cache_set: leave: successfully stored: eyJ0eXAiOiJKV1QiLCJhbGc...DF9hNJNLMraqb-CmtSHBHkCA4QlqgYc-T-_HPut4pw
[Wed Jun 16 10:26:33.950264 2021] [oauth2:debug] [pid 119080] src/oauth2.c(798): [client 10.8.225.116:53237] oauth2_token_verify: leave: 1
[Wed Jun 16 10:26:33.950267 2021] [oauth2:error] [pid 119080] [client 10.8.225.116:53237] oauth2_apache_set_request_user: remote user claim could not be found
[Wed Jun 16 10:26:33.950270 2021] [oauth2:debug] [pid 119080] src/server/apache.c(324): [client 10.8.225.116:53237] oauth2_apache_return_www_authenticate: enter
[Wed Jun 16 10:26:33.950274 2021] [oauth2:debug] [pid 119080] src/server/apache.c(387): [client 10.8.225.116:53237] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Could not determine remote user."
[Wed Jun 16 10:26:33.950277 2021] [oauth2:debug] [pid 119080] src/server/apache.c(348): [client 10.8.225.116:53237] oauth2_apache_return_www_authenticate: leave
[Wed Jun 16 10:26:33.950279 2021] [oauth2:debug] [pid 119080] src/mod_oauth2.c(153): [client 10.8.225.116:53237] oauth2_request_handler: leave
[Wed Jun 16 10:26:33.950471 2021] [oauth2:debug] [pid 119080] src/server/apache.c(292): [client 10.8.225.116:53237] oauth2_apache_request_context_free: dispose request context: 0x55a59a25e910

The package liboauth2_1.4.1-1.bionic+1_amd64.deb has pinned on old package - libhiredis0.13 (>= 0.13.1).
I have already libhiredis0.14 installed on Debian Buster, but it's required only libhiredis0.13.

for versions >= 1.4.5.3 <=1.5.1 the .deb files for liboauth2 for Debian/Ubuntu would not contain the .so symbolic link (anymore) but only the .so.0 files; that in its turn would result in dependent modules being linked statically against liboauth2 so updates of the library would not actually result in an upgrade of the functionality

First of all - Thank you for all what you are doing.

We are debugging mod_oauth2 module and faced with misunderstanding.
Initially, we expected that oauth2_token_verify will validate jwt token, but instead code verifying only json compatibility. Agree, name don't include jwt, but it's what we assumed.
Maybe you can modify the name to reflect json validation in a naming?

The library builds successfully on a Debian Bookworm, using the packages libmemcached-dev and libhiredis-dev, but the test fail here:

test/check_cache.c:60:F:core:test_cache_memcache:0: Assertion 'rc == 1' failed: rc == 0, 1 == 1
test/check_cache.c:60:F:core:test_cache_redis:0: Assertion 'rc == 1' failed: rc == 0, 1 == 1

The failing test is the following:

static void _test_basic_cache(oauth2_cache_t *c)
{
	bool rc = false;
	char *value = NULL;

	rc = oauth2_cache_set(_log, c, "piet", "klaas", 2);
	ck_assert_int_eq(rc, true);

nginx has removed r->port_start and r->port_end.

nginx/nginx@0db94ba

src/server/nginx.c: In function '_oauth2_nginx_port_copy':
src/server/nginx.c:103:27: error: 'ngx_http_request_t' {aka 'struct ngx_http_request_s'} has no member named 'port_end'; did you mean 'host_end'?
  103 |         int len = ctx->r->port_end - ctx->r->port_start;
      |                           ^~~~~~~~
      |                           host_end
src/server/nginx.c:103:46: error: 'ngx_http_request_t' {aka 'struct ngx_http_request_s'} has no member named 'port_start'; did you mean 'host_start'?
  103 |         int len = ctx->r->port_end - ctx->r->port_start;
      |                                              ^~~~~~~~~~
      |                                              host_start
src/server/nginx.c:105:58: error: 'ngx_http_request_t' {aka 'struct ngx_http_request_s'} has no member named 'port_start'; did you mean 'host_start'?
  105 |                 v = oauth2_strndup((const char *)ctx->r->port_start, len);
      |                                                          ^~~~~~~~~~
      |                                                          host_start
make: *** [Makefile:1464: src/server/liboauth2_nginx_la-nginx.lo] Error 1

I just tested 1.5.1 and it always fails for me with the error: oauth2_json_decode_object: json_loads failed: '[' or '{' expected near '<'. I'm doing nothing new as far as I'm aware (it fails regardless of the verify.iss setting):

OAuth2TokenVerify metadata https://{{ domain }}/.well-known/openid-configuration metadata.ssl_verify=false

...

<Location />
        AuthType oauth2
        Require valid-user
        OAuth2TargetPass remote_user_claim=preferred_username
</Location>

Generated a fresh token with KeyCloak.I modified the token a bit with jwt.io, but I can reproduce the problem with this token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InloTWpPd0p4VXljOXhUdFRkcUtHd3dReG1EU29UQkdVY0tkRXZUd0xCcmcifQ.eyJleHAiOjE2ODI5Nzg2MDYsImlhdCI6MTY4MTk3ODYwNiwianRpIjoiaWQiLCJpc3MiOiJteWlzc3VlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJteXN1YiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib25lIiwidHdvIiwidGhyZWUiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm9uZSIsInR3byIsInRocmVlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJhcGkiLCJjbGllbnRIb3N0IjoiMTI3LjAuMC4xIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiZ3JvdXAxIiwiZ3JvdXAyIiwiZ3JvdXAzIl0sInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcGkiLCJjbGllbnRBZGRyZXNzIjoiMTI3LjAuMC4xIn0.K9cK29xpkY0CCMBTE2W-zEIbj2FruW-f2a6WyM7Hu970znxVHiSoVb15aSt7mSKHWY-9iHqk_h_HQSFHxUL_EMUcS0hKAD-cwFif1jK4ZT0fP9vxIsuaU0G1TFd7xMQrY42CNdR1_tXHb9FdZmn7-ycArYOJ54w1noU2--6J7FY4G-fy5hGB-YroMisodr5ysnhhdHtW3W7Ci8HduqPJ-ueZ1uPIjB9kILY2A4N2kVIs3wa-xOBATOF3EMvJx6QZliRmmXxppPcMFlz3YWD-JXTt8s8k9EQEVzbyXqeJHMBaXFDsc6Em5RM4brGgEqXmh7IbpSAoq9-7rcN2Vk6rQA

I would build and test for you, once you have a patch, but I'm not sure what the quickest way is to build for a specific platform (I'm running ubuntu 22.04 locally, while our servers run 20.04). I could build on one of our test servers, if there is no other solution. Please let me know.

Hi,

when compiling liboauth2 it cannot find <cjose/cjose.h> (my PKG_CONFIG_PATH points to the right location).
I think the AM_CPPFLAGS var in Makefile.am should also contain @CJOSE_CFLAGS@ (and @CURL_CFLAGS@).

For our use case, we load several modules into Apache HTTPD, including mod_oauth2. Due to their dependencies, we eventually end up with two JSON libraries being loaded: jansson and json-c.
These have symbol conflicts and at some point, invalid memory access occurs.

Fortunately, both projects have added symbol versioning via their build process. Now both libraries can safely be loaded into the same process.
However, this requires all dependents to rebuild their code against the updated versions of the libraries, so that at the call location the proper version is added to each symbol (indicating that either jansson's or json-c's symbol is to be used).

Rebuilding liboauth2.so worked out of the box and produced a shared library referencing versioned symbols (readelf -W -r liboauth2.so), but liboauth2_apache.so still used symbols without a version.
The reason seems to be that -ljansson is not included as flags for the linker and thus the linker cannot look up the proper version of the used symbols and symbols without version are written to the resulting shared object file.

I was able to validate that adding the flag leads to the symbols being versioned.

diff --git a/Makefile.am b/Makefile.am
index 7b19f5f..9b8111d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -121,7 +121,7 @@ liboauth2_apache_la_pkgconfig_DATA = liboauth2_apache.pc
 
 liboauth2_apache_la_CPPFLAGS = $(AM_CPPFLAGS) -DHAVE_APACHE
 liboauth2_apache_la_CFLAGS = @APACHE_CFLAGS@
-liboauth2_apache_la_LIBADD = liboauth2.la @APR_LIBS@
+liboauth2_apache_la_LIBADD = liboauth2.la @APR_LIBS@ @JANSSON_LIBS@
 
 includesub_HEADERS += \
        include/oauth2/apache.h

Hence, I'd like to request adding all required libraries to the linker flags for liboauth2_apache.so and liboauth2_nginx.so, so that versioned symbols are properly picked up for jansson and any other projects deciding to add a version to their exported symbols.
I'm intentionally not submitting a PR because I'm unfamiliar with autotools and this projects build process, however, do not hesitate to ask if I can help in getting this issue fixed in any way!

Debian Bookworm/Testing has a version of the libjansson4 package with versioned symbols, if you want to have a look yourself.

Hello,
I have ONLY one introspect URL that is accepting Authorization Bearer via GET. however I am seeing in http.c that is setting POST (when data is always not NULL as it has the token) which not compatible to my introspect URL specs.

how can I force the OAuth2 to do GET instead? it seems not possible from the source code unlike the older version.

Appreciate your help again.

Hi,
when building a shared object of mod_oauth2 with statically linked liboauth2 etc. i found that mod_oauth2 would not load in apache due to missing symbols from cjose and libcurl.
I think those two libs should be added to liboauth2.pc.in (and openssl should probably be added as well).

The IV and AAD are hardcoded in the following file:
https://github.com/zmartzone/liboauth2/blob/master/src/cache.c
Lines: 363 - 368

This creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. Once fixed, we would need to request the CVE so the users of this lib who rely on the encryption can patch.

Insttalling liboauth2 on RedHat 8, get following error:

Installing: yum localinstall liboauth2-1.4.4-1.el8.x86_64.rpm

nothing provides pkgconfig(libmemcached) >= 0.8.0 needed by liboauth2-1.4.4-1.el8.x86_64

Though libmemcached is already installed.
rpm -qa | grep libmemcache
libmemcached-1.0.18-15.el8.x86_64
libmemcached-libs-1.0.18-15.el8.x86_64

func:oauth2_auth_client_secret_jwt
if ((auth->client_secret_jwt.client_id == NULL) ||
(auth->client_secret_jwt.jwk == NULL) ||
(auth->client_secret_jwt.aud = NULL))
goto end;
Correction：
auth->client_secret_jwt.aud == NULL
The affected branch is: master and liboauth2-1.1.1,Please check other branches

Dear contributors

Thanks for your library.

Do you have any plan to provide high level abstraction API on top of this library to use in modern C++ codes ?

The file include/oauth2/config.h generated by autoconf uses non specific #define statements, like #define PACKAGE_NAME.

As far as I can see, this file is used in include/oauth2/apache.h only.

If a program includes liboauth2 and another library with the same type of config.h file, the build will probably fail.

A solution is to prefix the #define statements in config.h to lower the risk of collision. What do you think?

Hi
I'm trying to build this package because it's needed for mod_oauth2 but I'm getting some file missing errors when going with make on Arch Linux. The first one is:

In file included from src/server/apache.c:22:
include/oauth2/apache.h:34:10: fatal error: httpd.h: Nie ma takiego pliku ani katalogu
   34 | #include <httpd.h>
      |          ^~~~~~~~~
compilation terminated.

And I'm guessing that same will go for: http_config.h, http_log.h and mod_auth.h as I can't find them anywhere in the source folder as well.
My steps (after extracting tar) were: ./autogen.sh, ./configure, make.
So what am I doing wrong here?

Hello, i using https://babelouest.github.io/glewlwyd/docs/OAUTH2.html server, with generated keys:

# RSA KEY
$ # private key
$ openssl genrsa -out private-rsa.key 4096
$ # public key
$ openssl rsa -in private-rsa.key -outform PEM -pubout -out public-rsa.pem

My public key in /pubkey.key is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3vNv0Zhc3VyUZTJPkO/
CUT
E6poZZ4jxdNEG78Bq9oGXraJOtAokK3E36CLkFBqc68maV39JkEHpZ315iLIm8wv
UpneLKgbapSfrPkNJWYqFWsCAwEAAQ==
-----END PUBLIC KEY-----

In apache configuration i have:

        <Location />
                AuthType oauth2
                OAuth2TokenVerify pubkey /pubkey.key
                Require valid-user              
        </Location>

When i start apache, i have error:

AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/000-default.conf:
PEM_read_bio_PUBKEY failed: error:0909006C:PEM routines:get_name:no start line
Action '-D FOREGROUND' failed.
The Apache error log may have more information.

Could you check if this certificate is good? I cannot change it.