Correct way to pass headers to a Flask/WSGI app?

[chrisinmtown]

Please tell me, what configuration is recommended to pass headers set by mod-auth-openidc to a proxied Flask/WSGI application?

I'm using docker image httpd:2.4-buster, installed libapache2-mod-auth-openidc at version 2.3.10 from the Debian package repo. I have SSL turned on and am using a valid (not self-signed) server cert, if that matters. I set my httpd-ssl.conf for proxying requests for a sub-location (not /), a REST API app built on Flask/WSGI; that's where I need the user name. I turned on debug by adding LogLevel auth_openidc:debug to httpd.conf and then I saw traces of the set-header and set-env calls for claims, for example:

httpd_1       | [Mon Oct 11 16:32:14.222022 2021] [auth_openidc:debug] [pid 94:tid 140464942470912] src/util.c(1706): [client 192.168.99.1:59500] oidc_util_set_app_info: setting environment variable "OIDC_CLAIM_sub: mylogin"

But I could not observe any OIDC-set headers arriving at the proxied python app. Much searching lead me to the following workaround, which accesses environment variable REMOTE_USER via Apache expression %{}s and sets it as a new header with a different name. I can only access OIDC_CLAIM_sub environment variable by Apache expression %{}e and after exposing that environment variable. With this in place, the two headers X-Forwarded-User and -Email arrive at the python app. These config lines are within <VirtualHost> and in there, within <Location>:

    RequestHeader set X-Forwarded-User-Email %{REMOTE_USER}s
    PassEnv OIDC_CLAIM_sub
    RequestHeader set X-Forwarded-User %{OIDC_CLAIM_sub}e

Is there a smarter way to configure apache and the openidc module?

I guess what I'm really asking, if I'm not missing something really obvious, why different treatment? I.e., why is the environment variable REMOTE_USER accessible via %{}s syntax, but for all the OIDC_CLAIM_* variables, a PassEnv directive and syntax %{}e is required?

Thanks in advance

[zandbelt]

setting the headers in proxied requests is the default behaviour, there should be no need to configure something for that; perhaps you've turned it off somehow? (e.g. using OIDCPassClaimsAs)

[chrisinmtown]

Thank you so much for answering so soon! I did not set config option OIDCPassClaimsAs. To debug, I added an endpoint at my Flask app to dump out all request headers. That endpoint showed headers like Accept, Cookie, X-Forwarded-For and so on; but no OIDC_* claims as headers. I am running the docker container locally, the browser locally also, so there's no network appliance/firewall in the path. I suspect I'm doing something wrong, which is why I posted, but I just don't see it yet.

Update: here's the relevant portion of my httpd-ssl.conf file. The apache server has a single-page app and proxies REST requests to the python app. User browsers send secure (https) requests; the apache httpd server sends the data/JSON requests to the back-end app insecurely (http). Maybe having two <Location> blocks is an error?

<Location "/">
    AuthType openid-connect
    Require valid-user
</Location>

<Location "/te/api/v1/">
    ProxyPreserveHost On
    ProxyPass        "http://te:5000/te/api/v1/"
    ProxyPassReverse "http://te:5000/te/api/v1/"

    PassEnv OIDC_CLAIM_sub
    RequestHeader set X-Forwarded-User %{OIDC_CLAIM_sub}e

    RequestHeader set X-Remote-User %{REMOTE_USER}s
</Location>

With this configuration in place, the Flask app receives the headers X-Forwarded-User and X-Remote-User as expected.

[chrisinmtown]

FWIW, I noticed I could not set a header that contains underscore. Those headers simply don't arrive at the Flask app. I also noticed that every OIDC* header has an underscore. If Apache internally refuses to send a header with an underscore, that would explain why requests proxied to the flask app receive no OIDC headers.

I searched the intertubes and found a change in HTTPD deprecating headers with underscore happened about 2016 in version 2.4 so it's not exactly new:

https://stackoverflow.com/questions/17440564/all-caps-http-headers-with-underscores-dropped-in-apache-2-4
https://stackoverflow.com/questions/43011065/apache-convert-underscores-to-dashes-in-headers
http://httpd.apache.org/docs/trunk/new_features_2_4.html

Is there a way to rename the OIDC headers to use hyphens instead of underscores?

Please reply, if you agree this is a problem I'll be glad to create an issue, thanks in advance.

[zandbelt]

you can use OIDCClaimPrefix to get around this issue

[chrisinmtown]

Here's a posting written so I can accept it as the answer.

A flask/WSGI app (proxied or hosted) by Apache HTTPD version 2.4 receives no OIDC request headers because they contain underscore. To receive headers set by mod-auth-openidc, I changed the default OIDC header prefix to have no underscores via the following configuration line in a httpd.conf (or httpd-ssl.conf, etc.):

OIDCClaimPrefix Oidc-Claim-

With this in place, the headers set by mod-auth-openidc arrive at my python/flask/wsgi app.

[zandbelt]

that's correct: the dropping is actually done by the target environment and you can tweak mod_auth_openid to get around this; also be aware that some claim names my contain underscores and they will be dropped as well, no way around that unless - when you know the conflicting claim names - you do some advanced things with copying claims into other headers/envvars

[jsferrazza]

I thought that httpd 2.4 started dropping things with underscores due to security concerns. I've had to adjust some claims that use them to use hyphens as well.

[zandbelt]

when CGI hosted on Apache (hosted but the same server or proxied) is the target environment, you will run into the same problems