-
I'm trying to use Apache with OIDC version 2.4.12.3 in a container and from there redirect to my backend which is developed in Open liberty. The authentication works fine and also the redirection to the backend, but I don't see the user information neither in the Apache container nor in the Liberty container. These are the Apache OIDC settings I'm using: OIDCRedirectURI ${OIDC_REDIRECT_URI}
OIDCCryptoPassphrase super_strong_password
OIDCProviderMetadataURL ${OIDC_METADATA_URL}
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCProviderEndSessionEndpoint ${OIDC_END_SESSION_ENDPOINT}
OIDCScope "openid"
OIDCSSLValidateServer Off
OIDCResponseType "code"
OIDCClientID ${OIDC_CLIENT_ID}
OIDCClientSecret ${OIDC_CLIENT_SECRET}
OIDCCookiePath ${OIDC_PROTECTED_PATH}
OIDCCookieSameSite On
OIDCClaimPrefix "OIDC-"
OIDCPassIDTokenAs claims
OIDCPassUserInfoAs claims
OIDCPassClaimsAs both
OIDCPreservePost On
OIDCInfoHook id_token access_token iat access_token_expires userinfo refresh_token session
OIDCWhiteListedClaims "access_token access_token_expires"
OIDCStateInputHeaders none
OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto Forwarded I expect to see these claims user-info environment variables set somewhere but they don't seem to exist. I activated the debug logs to see if these values are set at least in the Apache container but the logs do not show that these variables are set. The Apache container is running Red Hat 9, when I started my tests I was using a CentOS container, but the version of OIDC that comes with it is not up to date. Many times it would give me a 500 error with this error message: [auth_openidc:error] [pid 10:tid 140290182399744] [client 172.24.2.10:48802] oidc_restore_proto_state: calculated state from cookie does not match state parameter passed back in URL: "txafSf*******" != "lWAOs*******", referer: https://login.external.com/
[auth_openidc:error] [pid 10:tid 140290182399744] [client 172.24.2.10:48802] oidc_authorization_response_match_state: unable to restore state, referer: https://login.external.com/
[auth_openidc:error] [pid 10:tid 140290182399744] [client 172.24.2.10:48802] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: https://login.external.com/ That's why I switched to Red Hat, to use a more updated OIDC version and that corrected the 500 error. However, in the CentOS version sometimes I could login and in the logs I saw that the variables were set and I could show the content of those variables in my application. I don't know if this is something normal for this version of OIDC or if it's a conflict between OIDC and Red Hat, or if maybe I'm missing something else to be able to access those variables. Any advice is welcome. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
you may want to read about |
Beta Was this translation helpful? Give feedback.
-
You are right @zandbelt, in some of my many tests I must have changed that setting and completely missed it. It works now, thanks! |
Beta Was this translation helpful? Give feedback.
you may want to read about
OIDCWhiteListedClaims
here: https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.3/auth_openidc.conf#L960-L963 since now you're only whitelisting, storing and passing a single claim namedaccess_token access_token_expires
that does not even exist