Trying to implement multiple providers with OIDCDiscoverURL and LocationMatch

[GustavR]

I am trying to make multiple providers work as described here: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#3-access-to-different-url-paths-on-a-per-provider-basis

But I am failing because the OIDCDiscoverURL does not seem to support match from LocationMatch

The example is my starting point (copied exactly as is from above url):

OIDCRedirectURI https://www.example.com/example/redirect_uri

<Location /example/p1>
  AuthType openid-connect
  OIDCDiscoverURL https://www.example.com/example/redirect_uri?iss=https%3A%2F%2Fp1.example.com
  Require claim iss:https://p1.example.com
</Location>

<Location /example/p2>
  AuthType openid-connect
  OIDCDiscoverURL https://www.example.com/example/redirect_uri?iss=https%3A%2F%2Fp2.example.com
  Require claim iss:https://p2.example.com
</Location>

It works as written there, but when I combine it with the example using expressions: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#expressions-in-require-statements

ProxyPassMatch "^/(.*)-backend/(.*)$" "https://$1/$2"
<LocationMatch "^/(?<backend>.*)-backend/">
  Require claim "roles:%{env:MATCH_BACKEND}"
  AuthType openid-connect
</LocationMatch>

it will not work. The match is just passed to the OIDCDiscoverURL as is.
This is what I am trying:

<LocationMatch /example/(?<DOMAIN>[^/]+)>
  AuthType openid-connect
  OIDCDiscoverURL https://www.example.com/example/redirect_uri?iss=https%3A%2F%2F%{env:MATCH_DOMAIN}.example.com
  Require claim iss:https://%{env:MATCH_DOMAIN}.example.com
</LocationMatch>

But this leads just to it redirecting to https://www.example.com/example/redirect_uri?iss=https%3A%2F%2F%{env:MATCH_DOMAIN}.example.com without replacing the variable / the match.
Which then leads to the following error (of course):
oidc_util_http_call: curl_easy_perform() failed on: https://{env:MATCH_DOMAIN}.example.com/.well-known/openid-configuration ()

I tried many different approaches, one of them using RewriteEngine, which nearly worked, but this will not start the Discovery which is also something I need:

<LocationMatch /example/(?<DOMAIN>[^/]+)>
  AuthType openid-connect
  # we check the claim only if we have a session, if not we redirect to the oidc login endpoint
  <If "%{HTTP_COOKIE} =~ /mod_auth_openidc_session/">
    Require claim iss:https://%{env:MATCH_DOMAIN}.example.com
  </If>
  <Else>
    RewriteEngine On
    RewriteRule ^(.*)$ "/example/redirect_uri?iss=https://%{env:MATCH_DOMAIN}.example.com&target_link_uri=%{REQUEST_SCHEME}://%{HTTP_HOST}%{REQUEST_URI}" [QSA,L,R]
  </Else>
</LocationMatch>

This is actually almost there, but I want auto discovery, because there are lots and lots of such subdomains. The auto discovery works when I use a fixed OIDCDiscoverURL (without broken %{env:MATCH_DOMAIN}), but not when I use the Rewrite.
Then i get the following error:
oidc_metadata_provider_get: no metadata found for the requested issuer (https://p1.example.com), and Discovery is not allowed

How do I allow Discovery here? Then I would be at my goal.
Or how do I enable variables/matches in the OIDCDiscoverURL?

Thank you for your help!

[zandbelt]

using an expression in OIDCDiscoverURL is not possible; when you say "auto discovery" do you mean dynamic client registration?

[GustavR]

What I mean is the error I get, when I use the RewriteRule (that I don't get when I use the OIDCDiscoverURL):
oidc_metadata_provider_get: no metadata found for the requested issuer (https://p1.example.com), and Discovery is not allowed

The discovery that takes place when the redirect is done internally via OIDCDiscoverURL. Where a request is done to .well-known/openid-configuration and the client is discovered/registered automatically.

[GustavR]

After some thorough digging through the code I reverse engineered a solution.
The discovery is only allowed when the csrf cookie and query parameter are set, so I set them manually when using RewriteRule (instead of desired OIDCDiscoverURL, which does that internally/automatically).

LoadModule unique_id_module modules/mod_unique_id.so

<LocationMatch /example/(?<DOMAIN>[^/]+)>
  Define ISS https://%{env:MATCH_SUB}.example.com
  AuthType openid-connect
  # we check the claim only if we have a session, if not we redirect to the oidc login endpoint
  <If "%{HTTP_COOKIE} =~ /mod_auth_openidc_session/">
    Require claim iss:${ISS}
  </If>
  <Else>
    Header always add Set-Cookie "x_csrf=%{UNIQUE_ID}e; Path=/; Secure; HttpOnly; SameSite=None"
    RewriteEngine On
    RewriteRule ^(.*)$ "/example/redirect_uri?iss=${ISS}&target_link_uri=%{REQUEST_SCHEME}://%{HTTP_HOST}%{REQUEST_URI}&x_csrf=%{env:UNIQUE_ID}" [QSA,L,R]
  </Else>
</LocationMatch>

The only caveat is that an expired browser session also ends up in the IF and then the process stops there. The user sees a 401 error and nothing else happens. So I reload in that case and return a 403 if the auth was succesfull but the iss claim was not.

So the complete solution is as follows:

LoadModule unique_id_module modules/mod_unique_id.so

OIDCMetadataDir /usr/local/apache2/openidc
OIDCCryptoPassphrase somePassphrase

# point to an oppenid connect restricted location (see directly below)
OIDCRedirectURI https://myhost.com/redirect

# needed for the OIDCRedirectURI to work
<Location /redirect>
    AuthType openid-connect
    Require valid-user
</Location>

# match from path to subdomain
<LocationMatch "^/oidc/(?<SUB>[^/]+)">
    Define ISS https://%{env:MATCH_SUB}.example.com
    AuthType openid-connect
    # when we have a authentication but no authorization (wrong claim below) send 403 instead of 401 to prevent loop (from meta refresh)
    AuthzSendForbiddenOnFailure On
    # we check the claim only if we have an openidc session, if not we redirect to the oidc redirect endpoint
    <If "%{HTTP_COOKIE} =~ /mod_auth_openidc_session/">
        Require claim iss:${ISS}
        # when we have a session but no user for this session simply reload
        # expired sessions are cleared automatically from mod_auth_openidc (so no loop will occur)
        ErrorDocument 401 '<meta http-equiv="refresh" content="0">'
    </If>
    <Else>
        # ideally we would like to use the following, but variables/envs are not replaced :(
        # see https://github.com/zmartzone/mod_auth_openidc/discussions/745
        #OIDCDiscoverURL https://myhost.com/redirect?iss=${ISS}
        #Require valid-user

        # so we have to do the redirect to the OIDCDiscoverURL manually
        # set a CSRF cookie or else the issuer would not be automatically discovered
        Header always add Set-Cookie "x_csrf=%{UNIQUE_ID}e; Path=/; Secure; HttpOnly; SameSite=None"
        RewriteEngine On
        RewriteRule ^(.*)$ "/p/redirect?iss=${ISS}&target_link_uri=%{REQUEST_SCHEME}://%{HTTP_HOST}%{REQUEST_URI}&x_csrf=%{env:UNIQUE_ID}" [QSA,L,R]
    </Else>
</LocationMatch>