openidc / mod_auth_openidc Goto Github PK
View Code? Open in Web Editor NEWOpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
License: Apache License 2.0
OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
License: Apache License 2.0
We operate Apache behind a load balancer that performs SSL decryption. The traffic reaches Apache unencrypted on port 80. As configured, a request of https://host.mydomain.com/protected/ is ultimately redirected to http://host.mydomain.com/protected/. Given that the mod_auth_openidc_session cookie is only sent over a secure connection, the cookie is not sent - resulting in a redirect loop.
We'd like to request that the scheme be exposed as a value - it appears that the scheme is assumed based on initial request. Perhaps as OIDCCurrentURLScheme.
The method we used to test this is described below:
Hi,
i am trying to install this module on debian 7. i have one OP (Gluu server), and a client apache with mod_auth_openidc.
When i try to test openid connect authentication, i get the redirection form the client to the OP, and then form the OP to the client after the authentication. I get this errors:
Error: The OpenID Connect Provider returned an error: Error in handling response type.
in apache i get these errors:
[Thu Feb 26 12:47:44 2015] [error] [client 192.168.253.17] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_client"", referer: https://alaska.aduneo.com/oxauth/login?scope=openid&response_type=code&nonce=QezaEtaxvLdZcB3pAHSvzDf9vg5rkPWsRA2kxwN9feY&redirect_uri=https%3A%2F%2Fnewyork.aduneo.com%2Fprotected%2F&state=_3tSS-kt7KEsz6Unm-Y1tsZEY2s&client_id=%40%2100EB.2A19.32E4.4E23%210001%215A40.2DD3%210008%2145B9.D59A
[Thu Feb 26 12:47:44 2015] [error] [client 192.168.253.17] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."", referer: https://alaska.aduneo.com/oxauth/login?scope=openid&response_type=code&nonce=QezaEtaxvLdZcB3pAHSvzDf9vg5rkPWsRA2kxwN9feY&redirect_uri=https%3A%2F%2Fnewyork.aduneo.com%2Fprotected%2F&state=_3tSS-kt7KEsz6Unm-Y1tsZEY2s&client_id=%40%2100EB.2A19.32E4.4E23%210001%215A40.2DD3%210008%2145B9.D59A
[Thu Feb 26 12:47:44 2015] [error] [client 192.168.253.17] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: https://alaska.aduneo.com/oxauth/login?scope=openid&response_type=code&nonce=QezaEtaxvLdZcB3pAHSvzDf9vg5rkPWsRA2kxwN9feY&redirect_uri=https%3A%2F%2Fnewyork.aduneo.com%2Fprotected%2F&state=_3tSS-kt7KEsz6Unm-Y1tsZEY2s&client_id=%40%2100EB.2A19.32E4.4E23%210001%215A40.2DD3%210008%2145B9.D59A
the content of auth_openidc.conf:
OIDCRedirectURI https://newyork.aduneo.com/protected/
OIDCCryptoPassphrase password
OIDCProviderMetadataURL https://alaska.aduneo.com/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID @!00EB.2A19.32E4.4E23!0001!5A40.2DD3!0008!45B9.D59A
OIDCClientSecret 5nz4TtA2L/XrFjzfoPt4XA==
OIDCClientName newyork
<Location /protected/>
AuthType openid-connect
Require valid-user
</Location>
can you give me a hint please?
Thank you very much
root@myhost:/tmp# ipcs -s
------ Semaphore Arrays --------
key semid owner perms nsems
0x002fa327 0 root 666 2
0x00000000 6619137 www-data 600 1
0x00000000 6651906 www-data 600 1
0x00000000 6684675 www-data 600 1
0x00000000 6717444 www-data 600 1
root@myhost:/tmp# /etc/init.d/apache2 reload
------ Semaphore Arrays --------
key semid owner perms nsems
0x002fa327 0 root 666 2
0x00000000 6619137 www-data 600 1
0x00000000 6651906 www-data 600 1
0x00000000 6684675 www-data 600 1
0x00000000 6750212 www-data 600 1
0x00000000 6782981 www-data 600 1
0x00000000 6815750 www-data 600 1
0x00000000 6881287 www-data 600 1
0x00000000 6914056 www-data 600 1
0x00000000 6946825 www-data 600 1
0x00000000 6979594 www-data 600 1
Once the semaphore limit is hit, apache dies.
Produce packages for RHEL/CentOS 6 and 7. (6 probably deserves higher priority as 7 was just released.)
I am trying to protect 'content' folder served by Apache/2.2.22 (Ubuntu). Here is my config entry
OIDCProviderMetadataURL http://192.168.1.11:8080/openid-connect-server-webapp/.well-known/openid-configuration
OIDCCryptoPassphrase helloworld
OIDCRedirectURI http://192.168.1.11:100/content/redirect_uri
OIDCScope "openid email profile"
#OIDCCookiePath /
#OIDCCookieDomain 192.168.1.11
OIDCClientID xxxxxxxx
OIDCClientSecret xxxxxxxxxxxxxxxxx
<Location /content>
AuthType openid-connect
Require claim preferred_username:guest
</Location>
As you can see my OP is running on Tomcat on the same server.
When I access http://192.168.1.11:100/content/user/index.html I get the following error on the browser
HTTP Status 404 - /openid-connect-server-webapp/oauth/error
However if the redirect_uri is not under "/content" say "/redirect_uri" all URL's referring to "/content/**" get redirected to /redirect_uri/index.html
I am not able to make this work, any help is appreciated.
thanks,
Karunakar
So I have several Debian machines with an identical config and REMOTE_USER
gets set to the user's email (the user's email will never be null either) but on a Scientific Linux box REMOTE_USER
seems to be the default sub@issuer
OIDCProviderIssuer provider.com
OIDCProviderAuthorizationEndpoint https://provider.com/oauth/userinfo
OIDCProviderTokenEndpoint https://provider.com/oauth/userinfo
OIDCProviderUserInfoEndpoint https://provider.com/oauth/userinfo
OIDCClientID some_long_string
OIDCClientSecret some_long_string
OIDCScope "openid"
OIDCRedirectURI https://client.com/redirect_uri
OIDCCryptoPassphrase a-cool-password
OIDCOAuthRemoteUserClaim email
<Directory /var/www/html/thevault/>
AuthType openid-connect
Require claim staff_flag:true
</Directory>
Occasionally, the state cookie might get scoped to the wrong path, leading to errors like this when the authentication provider redirects the user to https://REDACTED/oauth2callback:
[Thu Aug 14 05:43:48 2014] [error] [client 10.1.2.3] oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found, referer: https://REDACTED/
[Thu Aug 14 05:43:48 2014] [error] [client 10.1.2.3] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response, referer: https://REDACTED/
[Thu Aug 14 05:43:48 2014] [error] [client 10.1.2.3] oidc_authorization_response_match_state: unable to restore state, referer: https://REDACTED/
To fix this, the user must delete all mod_auth_openidc_state cookies associated with the Host in his/her browser and reload the site.
I'm still trying to trace down the exact cause, but it seems like the module sometimes isn't issuing a state cookie that's root-scoped even though our AuthType openid-connect
and Require valid-user
directives are bound to <Location />
.
Attempting to use MS Live. In its authorization response I get an access_token but no id_token. I do get a "user_id" string.
I am testing mod_auth_openidc in my local machine. I keep getting this error when retrieving the token
[auth_openidc:error] [pid 468628:tid 2900] [client 127.0.0.1:52791] oidc_util_http_call: curl_easy_perform() failed on: https://localhost/auth/oidc/token (SSL certificate problem: self signed certificate)
[auth_openidc:warn] [pid 468628:tid 2900] [client 127.0.0.1:52791] oidc_proto_token_endpoint_request: error when calling the token endpoint (https://localhost/auth/v3/oidc/token)
Not sure if it is a real issue or some extra flag I need to set in http.conf
I am using mod_ssl and the following configs in the http.conf for mod_auth_openidc
OIDCClientID mnWfbpfbOroRlOg1qlv49eN5jBMa
OIDCClientSecret V1H9N67jSwiw0SvEl3eTzTgHH84a
OIDCCryptoPassphrase Somepass
OIDCRedirectURI http://localhost/oidc/redirect_uri
OIDCProviderAuthorizationEndpoint https://localhost/auth/oidc/auth
OIDCProviderTokenEndpoint https://localhost/auth/oidc/token
OIDCProviderIssuer localhost/auth/oidc/auth
<Location "/oidc/">
AuthType openid-connect
Require valid-user
</Location>
Hello,
to begin thank you for your excellent work on this module!
REMOTE_USER environment variable is not accessible in mod_rewrite despite the use of LA_U.
A simple exemple:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} .+
RewriteRule . - [L,E=USEROK:1]
USEROK variable will never defined.
If i use the instructions below, i rejected despite successful authentification openidc:
Order Deny,Allow
Allow from env=USEROK
Deny from all
Satisfy All
Logs:
IP - - [03/Mar/2015:16:00:44 +0100] "GET / HTTP/1.1" 403 579 "..."
Logs without the Allow directive:
IP - USERNAME [03/Mar/2015:16:01:50 +0100] "GET / HTTP/1.1" 200 1133 "..."
There was a similar issue on mod_auth_openid: bmuller/mod_auth_openid#2
We are on Debian Wheeze (64bits), Apache 2.2 and openidc 1.7.3
It would allow for local validation of access tokens when a (link to) a JWK has been provided in the configuration. Test with PingFederate JWT token type. Could be used against Azure AD as well.
I found a bug in JSON decoder. When JSON data contains an unicode character (e.g., "Martin \u0160rom") the decoding fails.
In my case the unicode characters are in JSON returned by UserInfo endpoint. The user attributes like first name, last name, organization, etc. can contain special characters.
The library https://github.com/moriyoshi/apr-json which is used as JSON decoder is not reliable. I would suggest to use another library (e.g., http://www.digip.org/jansson/). List of all available JSON libraries for C can be found here: http://www.json.org/.
Here is patch for current version of JSON decoder to properly parse unicode characters:
diff --git a/src/json/apr_json_decode.c b/src/json/apr_json_decode.c
index a03f372..3bd8682 100644
--- a/src/json/apr_json_decode.c
+++ b/src/json/apr_json_decode.c
@@ -98,7 +98,7 @@ static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_st
}
p += 5;
string.len += 4; /* an UTF-8 character spans at most 4 bytes */
- break;
+ // confinue consuming characters after "\uXXXX"
} else {
string.len++;
p++;
@@ -127,8 +127,10 @@ static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_st
case 'u':
/* THIS IS REQUIRED TO BE A 4 DIGIT HEX NUMBER */
{
+ p++; // hex digits start after the 'u' character
+ int i = 0; // number of digits already parsed (cannot exceed 4)
int cp = 0;
- while (p < e) {
+ while (p < e && i < 4) {
int d = hex_to_int(*p);
if (d < 0) {
status = APR_EGENERAL;
@@ -136,6 +138,7 @@ static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_st
}
cp = (cp << 4) | d;
p++;
+ i++;
}
if (cp >= 0xd800 && cp < 0xdc00) {
/* surrogate pair */
Martin
According to the memcached wiki page using memcached is not recommended for sessions. I was wondering if it is possible to add support for a Redis option for saving sessions?
The instructions in INSTALL say to run ./configure
but no such script exists in the distribution.
test code 'test_jwt_decryption' fails on big endian architectures (mips, powerpc, sparc):
| `/usr/bin/apxs2 -q CC` -DLINUX -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/usr/include/apr-1.0 -Isrc -o test/test test/*.c src/jose/apr_jwt.c src/jose/apr_jwk.c src/jose/apr_jws.c src/jose/apr_jwe.c -lapr-1 -laprutil-1 -lldap -llber -lssl -lcrypto -ljansson
| test/test
| Failed: # test_jwt_decryption: error in apr_jwe_decrypt_jwt: result "0" != expected "1"
| make[1]: *** [test] Error 1
If a Redis server configured as a cache is configured with an idle timeout, the server might close the connection before the module communicates with it again. This is especially possible for web services that are infrequently accessed. This leads to errors that look like:
oidc_cache_redis_get: redisCommand failed, reply == NULL: 'Server closed the connection'
In such a case, the client should try to reconnect to the Redis server and reattempt the request.
We set up an OAuth/OpenID Connect server and our application authenticates users against the OAuth/OpenID Connect server. We have an Apache web server that uses mod_auth_openidc and that Apache web server serves the content to authenticated users of our application.
When a user signs off/out from the application, we want the Apache server to stop serving the content. However mod_auth_openidc cookie on the user browser is valid even after revoking the access tokens on the OAuth/OpenID connect server. Is there a way for mod_auth_openidc to support "federated sign out" or "single sing out"? Any guidance is appreciated.
By the way we use
OIDCProviderMetadataURL http://svr-IP/openid-connect-server/.well-known/openid-configuration
in our Apache configuration.
thanks,
Karunakar
tried my best to make a sensible topic/subject
Can we get an option over overriding the port so it hits varnish and routes correctly?
Ie, apache config:
<Location /foo>
AuthType openid-connect
....
<Location /outh_callback>
AuthType openid-connect
So when trying to access /foo, you get bounced to accounts.google.com , back to the /oauth_callback, but then it tries to redirect you back to /foo and it is here the problem happens.
When it tries to redirect you back to /foo, it seems to pick up the vhost port defined in the vhost configuration.
This isn't necessary correct when we have varnish in front, and the vhost port defined in the apache configuration isn't accessible from the outside.
After installing the deb package on my wheezy server with apache 2.4, the module fails to load:
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/auth_openidc.load: Cannot load /usr/lib/apache2/modules/mod_auth_openidc.so into server: /usr/lib/apache2/modules/mod_auth_openidc.so: undefined symbol: ap_requires
The deb package seems to be installing the module appropriate to apache 2.2, which still has ap_requires, rather than 2.4, where that function has been removed.
When using Apache worker MPM there appears to be an issue with file locking when using the file storage caching backend (OIDCCacheType file
), similar to the one reported for mod_auth_cas
here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752872
Although this is a bug in libapr1
, a workaround in mod_auth_openidc
may be considered.
Apparently switching from fcntl to flock could solve it as mod_auth_cas
did here:
apereo/mod_auth_cas@50663b5#diff-b823cf0e10152100b941acd0fb5838a8R55 but that would also mean losing support for NFS.
I'm thinking a configuration option for the locking mechanism to use is a possible way forward. I'd be interested to hear opinions and actual experience with this issue.
The recommendation for now is to use Apache prefork MPM when using the file storage caching backend, or use a different caching backend (OIDCCacheType [shm | memcache]
) if you want to use the worker MPM.
I don't see any .spec file for building the RPM package, is it possible to provide this upstream without having to maintain my own?
Or are you using alien for converting from deb to rpm or something like that?
in libapache2-mod-auth-openidc 1.5.3-1 initial authentication doesn't work since it isn't creating the tmp files. If I go back a version, then auth, then upgrade, everything works correctly.
The documentation of the module should be sharpened with respect to OAuth2.
There is a part that says that the module always acts as a resource server in an OAuth2 context, the actual resources being served from an underlying system proxied by this apache module. Therefore the module supports token validation via an endpoint. So far, so good, but:
Managed to get to the old repo by following your tweet: https://twitter.com/hanszandbelt/status/421275024931028992 and then wasn't sure about adopting this because it felt unmaintained... I suddenly wonder if Twitter lets you update tweets ;-) This repo is definitely worth trying and/or contributing to.
This could be an issue with my configuration
I am attempting to configure google as the OIDC provider. Using the 1.2 release on Ubuntu 14.04.
It kind of works, but has odd behaviour:
It simply hangs at this point - on both firefox and chrome.
However - if I let it timeout, and then reload the /example page - it comes up OK!, and I can see that the oidc cookie is set.
I tried fiddling with the redirect url (/redirect_uri with and without trailing /) but that did not make a difference. So it appears that the odic module processes the assertion OK from google- but gets hung up trying to redirect back the original URL.
Here is my config
OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCClientID 431631896232-kdioacia46qnhv0uvp8rfh6es9t6rbp5.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXXXX
OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/example/redirect_uri
OIDCCryptoPassphrase password
<Location /example/>
Authtype openid-connect
require valid-user
On my system, stock rhel, the call to ap_get_remote_host in oidc_get_browser_state_hash sometimes returns a name and sometimes a number. Don't know why but I had to disable that part of the hash.
On older versions of GCC the code fails to compile with the following error:
src/metadata.c: In function 'oidc_metadata_client_get':
src/metadata.c:832:2: error: 'for' loop initial declarations are only allowed in C99 mode
src/metadata.c:832:2: note: use option -std=c99 or -std=gnu99 to compile your code
apxs:Error: Command failed with rc=65536
I added this manually to the generated Makefile as a workaround, but this should be in the CFLAGS by default.
in apache config:
OIDCIDTokenSignedResponseAlg HS512
in apache error logs:
oidc_set_url_slot_type: configuration value 'HS512' could not be parsed as a URL (no scheme set)!
Greetings!
Thanks for you work on this project. At my company, we have successfully integrated and deployed this module in front of a number of our services, including: MediaWiki, Graphite, etc.
I am currently running into an issue with Cacti integration. Whenever I hit a the callback URL from our openidc provider immediately following a sign in, I get an Apache 500 page. On any subsequent request to a different Cacti URL ('/' for example), the authentication works as expected.
For the error case, the Apache error logs show the following messages:
[Mon Sep 15 21:16:35.077896 2014] [auth_openidc:error] [pid 20421] [client 111.111.111.111:52153] oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found, referer: https://[our_auth_host]/users/sign_in
[Mon Sep 15 21:16:35.077919 2014] [auth_openidc:error] [pid 20421] [client 111.111.111.111:52153] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response, referer: https://[our_auth_host]/users/sign_in
[Mon Sep 15 21:16:35.077924 2014] [auth_openidc:error] [pid 20421] [client 111.111.111.111:52153] oidc_authorization_response_match_state: unable to restore state, referer: https://[our_auth_host]/users/sign_in
From these log messages, It would appear that the mod_auth_openidc_state
cookie value is NULL:
However, the request to our callback URL DOES contains that cookie:
GET https://[our_cacti_host]/auth/callback?code=7f5acd7beff06412d4fed708fcff8881660924fab2118944e805089bdc0a82ed&state=8cQqWbYv8cl7YpoJInm2Uyj13dM%3D
mod_auth_openidc_state GpH9kLcPz2LDwPAk4vgQkNgfDR16yM28RkGCc7y7jGzfN546QJsLcFxo-5bZOcRFDUhc1O9TjaXpyPfHCbdCLqxVmt6LIPuKnLdXfwv9fSsIFkq0DP4j8uQ1dcySAgtTo9NhnlmAAZKuOmnQGTuoxB-Tjh4YZFNFVlUkQUYcMiaTsyl6GVvSjzGVwZcszH7qNa5Us4Ovg58nt_lJZXIJ0nRj44ekbzqbngfhSHWLS1Z3M6XTwBRFq8vpQOzURl5gPe1mVnth_Ts3lNiyoJaZe2prgdJj0IP_MqAcAw8AucY47rVXj0y2fYwKeKPOmh--5Y1-RO6gSnwpAoNyaGF6pg
Versions:
Apache Version: Apache/2.4.7 (Ubuntu)
Cacti Version: 0.8.8b
Resolution:
After we receive this error, we can hit any other page on our Cacti server, for example:
GET https://[our_cacti_host]/
.. and we get authenticated correctly (the correct REMOTE_USER environment variable gets passed to Cacti, etc). The 'mod_auth_openidc_state' cookie metadata for the success case is identical to the 'mod_auth_openidc_state' cookie metadata for the failure case (domain, path, expires all show up as 'N/A' in chrome).
Does this issue sound like a misconfiguration problem? Is this something that you've experienced before? Any help would be appreciated. Thanks!
Similarly to a few other posts, I can't seem to get Google working as an OpenID Connect Provider. I'm not sure what the problem is, but what I've noticed so far is that the log in screen appears when I access a URL that matches the LocationMatch value. I'm able to sign in, and delegate access, at which point, not much else happens, I'm not redirected to the original URL.
I've pasted the relevant config portion:
OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCClientID 258901391964-urldbcgasrlmtdm03dnk59c9i9etgai0.apps.googleusercontent.com
OIDCClientSecret mysecret
OIDCScope "openid email profile"
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/redirect
OIDCCryptoPassphrase password
LocationMatch /v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth
Authtype openid-connect
require valid-user
LogLevel debug
OIDCCookie oidcstate
OIDCCookiePath /v3/
LocationMatch
And have also included the relevant logs here, with debug enabled:
[Tue Jun 10 02:09:10.312067 2014] [:debug] [pid 10714:tid 140183553177344] src/mod_auth_openidc.c(1423): [client 127.0.0.1:48926] oidc_check_user_id: incoming request: "/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/?(null)", ap_is_initial_req(r)=1
[Tue Jun 10 02:09:10.312176 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(693): [client 127.0.0.1:48926] oidc_get_cookie: returning (null)
[Tue Jun 10 02:09:10.312203 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(735): [client 127.0.0.1:48926] oidc_request_matches_url: comparing "/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/"=="/v3/OS-FEDERATION/redirect" (0)
[Tue Jun 10 02:09:10.312224 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(335): [client 127.0.0.1:48926] oidc_get_current_url: current URL 'http://localhost:5000/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/'
[Tue Jun 10 02:09:10.312236 2014] [:debug] [pid 10714:tid 140183553177344] src/mod_auth_openidc.c(1088): [client 127.0.0.1:48926] oidc_authenticate_user: entering
[Tue Jun 10 02:09:10.312357 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(652): [client 127.0.0.1:48926] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_state=4K-HtaM
ZghN62RxatGlXahl6NV7qwuyh7ndShJbL2_xgltw6oEXftsw6WW7DN3vbkm7jJe6Rl4V7tP4kgbuKRAv4RCsaLH2YIbKI5KLfMoOHdmGaVR5UtZCg8OSmj7Ge49uaZaBa0TYeDvIbOnT2nDIbK9yHkxKqEB1xrqDZGn2rH4wxuBhW3PHQ0UmzX_SVwGJM9USdsInlN8BFr3zc
Cm9jYmMKbJ0R3yIeS6wFeAzFYZbrHZf1LUR-WzQ2JOB3q2bH4clm51k76d4YKwXsLYPziKqcXBu0QqiWMTQHOpePUdlWTnacFsZgkdAB-EnoydgjRG1N7h6DexBy_HR-zyNkqcT9r5jKRVqiNBGnXnnvO68xV_jNGzqO6lQQlGF9yCsOOQzjXYUk3I5NZQqcgA,,;;Path=/v3/
[Tue Jun 10 02:09:10.312379 2014] [:debug] [pid 10714:tid 140183553177344] src/mod_auth_openidc.c(158): [client 127.0.0.1:48926] oidc_get_browser_state_hash: entering
[Tue Jun 10 02:09:10.312421 2014] [:debug] [pid 10714:tid 140183553177344] src/proto.c(120): [client 127.0.0.1:48926] oidc_proto_authorization_request: entering (issuer=accounts.google.com, redirect_uri=http://localhost:5000/v3/OS-FEDERATION/redirect, original_url=http://localhost:5000/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/, state=/WB0OzAySIDTukhvi5pxTM67R6Y=, nonce=(null))
[Tue Jun 10 02:09:10.312508 2014] [:debug] [pid 10714:tid 140183553177344] src/proto.c(170): [client 127.0.0.1:48926] oidc_proto_authorization_request: adding outgoing header: Location: https://accounts.google.com/o/oauth2/auth?approval_prompt=force&response_type=code&scope=openid%20email%20profile&client_id=258901391964-urldbcgasrlmtdm03dnk59c9i9etgai0.apps.googleusercontent.com&state=%2FWB0OzAySIDTukhvi5pxTM67R6Y%3D&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fv3%2FOS-FEDERATION%2Fredirect
[Tue Jun 10 02:09:21.159834 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of Require all granted: granted
[Tue Jun 10 02:09:21.159932 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of : granted
[Tue Jun 10 02:09:21.160023 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of Require all granted: granted
[Tue Jun 10 02:09:21.160057 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of : granted
REMOTE_USER
gets set to the sub
claim, according to spec. Falls through to other values (unique_name
then email
) if sub
is not available.
Add a configuration option that allows the REMOTE_USER
to be set to any claim that is expected to be unique (with documented warnings).
I install openidc on apache2.4 and see this error:
Syntax error on line 1 of /etc/apache2/mods-enabled/auth_openidc.load: Cannot load /usr/lib/apache2/modules/mod_auth_openidc.so into server: /usr/lib/apache2/modules/mod_auth_openidc.so: undefined symbol: ap_requires
Action 'configtest' failed.
As noted at http://httpd.apache.org/docs/current/developer/new_api_2_4.html, ap_requires was removed in apache2.4.
Can you add support for apache2.4?
Thanks.
Hi,
I have some problems to use your apache module with Google provider.
I am using Ubuntu 14.04 and libapache2-mod-auth-openidc_1.4_amd64.deb
I enabled auth_openidc.load and auth_openidc.conf (withour modification).
I added the following lines in my apache conf :
OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCClientID 964313367974-j3d4b43j1vjuoa01dv06bt9nrpl5g7ek.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXX
OIDCScope "openid email profile"
OIDCRedirectURI http://exemple.com/exemple/callback/
OIDCCryptoPassphrase blabla
OIDCCookiePath /
<Location /exemple/>
AuthType openid-connect
Require valid-user
</Location>
</VirtualHost>
I have an error 500 and these lines in my error log :
oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found
oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response
oidc_authorization_response_match_state: unable to restore state
Can you see what happend ?
Thanks,
Fred
Produce x86_64 packages for the most popular Ubuntu LTS releases. It's totally unreasonable only to support bleeding-edge distributions.
Hi,
Is it possible to add an option in order to set httponly flag to true ?
https://www.owasp.org/index.php/HttpOnly
Thanks,
Regards,
Frédéric
The examples given in the documentation for using Google Apps domain accounts are incorrect, which took me quite a bit of googling/searching to correct. The example states the following is required:
OIDCScope "openid profile"
Require claim hd:<your-domain>
However, the hd claim is only returned if you ask for e-mail according too Google's documentation: https://developers.google.com/+/api/openidconnect/getOpenIdConnect. Hence, the correct example would be:
OIDCScope "openid email"
Require claim hd:<your-domain>
Note: I don't think profile is required for Google - or adds any value.
I wrote small chef recipe to switch our internal services from openid 2.0 to openid connect, I left configuration in separate conf.d/mod_auth_openidc.conf file and just add the following lines to enable authentication where I need it:
OIDCRedirectURI https://subdomain.mydomain.com/
OIDCCookieDomain subdomain.mydomain.com
<Location "/">
Satisfy all
AuthType openid-connect
Require claim hd:mydomain.com
</Location>
however when I used it with VirtualHost that had SSLProxyEngine On I noticed of infinite redirect loop that leads to 7-15 session cookies and results in Bad Request. Actually it was not a big problem for me, I found that we don't need SSLProxyEngine here, however I think it can be helpful info to improve your great module.
Thank you for maintaining it, it saved me lot of time.
I get this error message from "systemctl status httpd.service"
httpd: Syntax error on line 123 of /etc/httpd/conf/httpd.conf: Syntax error on line 55 of /etc/httpd/mods-enabled/mod_auth_openidc.conf: </IfModule> without matching <IfModule> section
What do I do different to the .conf file so it is read properly by apache?
Thanks for this great mod.
I encounter a problem with the session management, mod version 1.7.2/1.7.3.
from the wiki:
If the OP supports session management, it will automatically be used by mod_auth_openidc.
I use mod_auth_openidc to protect Zabbix,so there is no OP/RP hidden iframes. mod_auth_openidc generate new mod_auth_openidc_state_ cookie everytime page refreshes, the cookie size get larger and larger quickly, final cause 'bad request' error.
So, is there some config options to disable the session management?
I have my OIDCRedirectURI
set to https://localhost/ct/redirect
.
Prior to being authenticated, if I attempt to access anything within the ct/some-resource
I am brought through the authentication processes which resolves successfully.
However, if I attempt to access anything within a sub-directory ct/some-sub/some-resource
I am brought through the authentication process which resolves to apache serving a Internal Server Error
. It should be noted that after this point, I am successfully authenticated and if I try to access the resource again, it loads fine. It is only on the initial authentication that I get the error.
I am using the release 1.5_amd64
Configuration file:
OIDCRedirectURI https://localhost/ct/redirect
OIDCCryptoPassphrase aBetterPassword
OIDCScope "email"
OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCSessionInactivityTimeout 3600
<Location /ct/ >
Authtype openid-connect
require valid-user
</Location>
# The default setting is to run captain-teach on port 8080
ProxyPass /ct/ http://localhost:8080/
ProxyPassReverse /ct/ http://localhost:8080/
Apache log file after attempting to access localhost/ct/review/test
prior to authentication:
[Mon Jun 09 14:55:57.852746 2014] [:error] [pid 45:tid 140038161622784] [client 172.17.42.1:42470] oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found, referer: https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/ct/redirect&state=FzeknDOmfuiLbabM5XtxXIiAIWk%3D&client_id=163831924831-73u2fn1dedoholkqp1ci2qn602fjqdlf.apps.googleusercontent.com&hl=en-US&from_login=1&as=-17c181a7bb5b43f7&authuser=0
[Mon Jun 09 14:55:57.852838 2014] [:error] [pid 45:tid 140038161622784] [client 172.17.42.1:42470] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response, referer: https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/ct/redirect&state=FzeknDOmfuiLbabM5XtxXIiAIWk%3D&client_id=163831924831-73u2fn1dedoholkqp1ci2qn602fjqdlf.apps.googleusercontent.com&hl=en-US&from_login=1&as=-17c181a7bb5b43f7&authuser=0
[Mon Jun 09 14:55:57.852858 2014] [:error] [pid 45:tid 140038161622784] [client 172.17.42.1:42470] oidc_authorization_response_match_state: unable to restore state, referer: https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/ct/redirect&state=FzeknDOmfuiLbabM5XtxXIiAIWk%3D&client_id=163831924831-73u2fn1dedoholkqp1ci2qn602fjqdlf.apps.googleusercontent.com&hl=en-US&from_login=1&as=-17c181a7bb5b43f7&authuser=0
This might be a dupe of #9, but I'm seeing the following error:
[log] oidc_util_http_call: setting post parameters: grant_type=authorization_code&code=RxpQiOHaZUc2qKLd5orSVJZwFl1pLH&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fv3%2FOS-FEDERATION%2Fidentity_providers%2FBP%2Fprotocols%2Foidc%2Fauth%2Fredirect
[log] oidc_util_http_call: response=Error 401: SRVE0295E: Error reported: 401\n
[log] oidc_util_check_json_error: JSON parsing returned an error: '[' or '{' expected near 'Error'
It seems like the authorization code is returned for a token, but then the token isn't decoded: https://github.com/pingidentity/mod_auth_openidc/blob/450f2d2c5d8d118555d4688a1c9726cf132ad87c/src/proto.c#L798
I made a separate token request so I could decode it offline. The claim looks like this, and has some unicode values.
{"iss":"https://localhost:8020/oidc/v10/endpoint/OP","nonce":"m91r8M4OfmxBCOhPkd6ZpNcMQv0eCR11dx54oOzqOMk,","iat":1402500261
, "groupIds":["cn\u003dw3kmXYZGroup,ou\u003dmemberlist,o\u003dexample.com", "cn\u003dABCGroup,ou\u003dmemberlist,o\u003dexample.com"], "sub":"[email protected]","exp":1402503861,"aud":"myclientId","uniqueName":"emailaddress\[email protected],c\u003dca,ou\u003dgroups,o\u003dexample.com","at_hash":"8XkyzPeBJot5XiGeIFhXig"}
I have a page that acts as a dashboard and automatically refreshes itself every so often.
After one hour, if I have not interacted with the page, the refresh produces a 500 Internal Server Error and these messages in the Apache error log:
[Tue Apr 15 11:12:17.986216 2014] [:error] [pid 23840] [client x.x.x.x:y] oidc_check_state: no "mod_auth_openidc_state" state cookie found, referer: https://...
[Tue Apr 15 11:12:17.986295 2014] [:error] [pid 23840] [client x.x.x.x:y] oidc_authorization_response_match_state: unable to restore state, referer: https://...
If I then make the request manually it authenticates fine and continues to refresh for another hour.
What can be done to allow the refresh to work continually?
User authentication and authorization (via claims) are perfectly working. But I can see these messages in Apache error.log:
oidc_authz_get_claims_and_idtoken: could not restore id_token from request state: wrong arguments
I'm not able to track down the cause. I just can see that the id_token JSON is (null)
.
Do you have any ideas how to track it down or fix it?
When claim used for authorization has integer value an infinite loop takes place.
Here is a fix for infinite loop (remove the continue
statements) and handle integer values:
diff --git a/src/authz.c b/src/authz.c
index de85af9..fc71121 100644
--- a/src/authz.c
+++ b/src/authz.c
@@ -99,7 +99,14 @@ static apr_byte_t oidc_authz_match_claim(request_rec *r,
return TRUE;
}
- /* see if it is a boolean and it (case-insensitively) matches the Require'd value */
+ /* see if it is a integer and it equals the Require'd value */
+ } else if (json_is_integer(val)) {
+
+ if (json_integer_value(val) == atoi(spec_c)) {
+ return TRUE;
+ }
+
+ /* see if it is a boolean and it (case-insensitively) matches the Require'd value */
} else if (json_is_boolean(val)) {
if (apr_strnatcmp(json_is_true(val) ? "true" : "false", spec_c)
@@ -139,7 +146,7 @@ static apr_byte_t oidc_authz_match_claim(request_rec *r,
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"oidc_authz_match_claim: unhandled in-array JSON object type [%d] for key \"%s\"",
elem->type, (const char *) key);
- continue;
}
}
@@ -147,7 +154,7 @@ static apr_byte_t oidc_authz_match_claim(request_rec *r,
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"oidc_authz_match_claim: unhandled JSON object type [%d] for key \"%s\"",
val->type, (const char *) key);
- continue;
}
}
mod_rewrite doesn't seem to have access to REMOTE_USER.
I'm trying following config:
RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule ^/protect-but-dont-redir - [L,R=404]
and it always matches the condition (even when authenticated).
Hello,
I use mod_auth_openidc on an Apache RP to secure access to the backend web server.
I would like to make 2 verifications :
I know how to verify 1. or 2., but cannot verify 1. and 2.
Here is a part of my vhost:
<Location />
AuthType openid-connect
Require claim hd:domain.com
AuthLDAPURL "ldap://ldap.domain.com:389/ou=Users,o=domain?mail?sub?(objectClass=person)(ISstatus=Active)"
Require ldap-group cn=Group,ou=Applications,o=domain
Satisfy All
</Location>
When I set Require claim hd:domain.com
there is NO LDAP request...
If I set Require valid-user
instead of Require claim hd:domain.com
, the LDAP verification is working.
If someone could help me with this ...
In order to migrate from Google OpenID 2.0 to Google OAuth2/OIDC, Google provides a mechanism for getting BOTH OpenID 2.0 identifier AND Google OIDC identifier for a user. The process is documented at https://developers.google.com/accounts/docs/OpenID#adjust-uri .
Basically, the initial authentication request URI can contain an additional parameter "openid.realm=https://..." This results in eventually returning a new "openid_id" field that contains the Google OpenID 2.0 identifier. By matching this against the "sub" field (the OIDC identifier), sites can migrate users from old OpenID 2.0 ids to new OIDC ids.
It would be really helpful if the configuration file could support something like "OIDCOpenIDRealm=https://...", then the code could get the openid_id and put it in the HTTP session headers.
I have the following configuration:
<VirtualHost *:80>
# ....
Redirect permanent / ${BaseUrl}
# ...
</VirtualHost>
And then I have:
OIDCRedirectURI ${BaseUrl}/${ClassName}/redirect
Essentially, I am redirecting all http traffic to https.
When a user accesses the site on http, if they are not authenticated they are first asked to authenticate. After this they are redirected to http which then is redirected to https and a 500 internal service error is generated.
If the user connects directly to https://url-to-page/ initially, the process works fine. Is it possible to configure the protocol to first apply redirects before checking for authentication?
Thanks!
I'm getting this when trying to install on debian 7
:~# sudo dpkg -i libapache2-mod-auth-openidc_1.5.3-1_amd64.deb
Selecting previously unselected package libapache2-mod-auth-openidc.
(Reading database ... 26986 files and directories currently installed.)
Unpacking libapache2-mod-auth-openidc (from libapache2-mod-auth-openidc_1.5.3-1_amd64.deb) ...
dpkg: warning: unable to delete old directory '/etc/apache2/conf-available': Directory not empty
dpkg: dependency problems prevent configuration of libapache2-mod-auth-openidc:
libapache2-mod-auth-openidc depends on libc6 (>= 2.14); however:
Version of libc6:amd64 on system is 2.13-38+deb7u3.
libapache2-mod-auth-openidc depends on apache2-api-20120211; however:
Package apache2-api-20120211 is not installed.
dpkg: error processing libapache2-mod-auth-openidc (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
libapache2-mod-auth-openidc
This is a fresh Debian 7, and I can't get to install those deps apache2-api-20120211
and libc6 (>= 2.14)
Any hint appreciated.
Thanks,
Matias
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.