Stuck with getting Auth0 integration working

[pcolmer]

I'm trying to use this in conjunction with Auth0. I've configured an application within Auth0 and I've configured a virtual host in Apache with what I believe is the appropriate configuration.

When I browse to the protected URL, I am redirected off to Auth0 where I enter my username and password. I'm then redirected back to "redirect_uri?code=xxxxxxx". The web page says "Submitting..." but the page keeps on re-submitting ...

Looking at the debug logs, I'm seeing this (with redactions):

[Tue Mar 08 11:33:16.556974 2022] [auth_openidc:debug] [pid 9671:tid 140199300376320] src/util.c(2473): oidc_util_hdr_in_get: Cookie=mod_auth_openidc_state_uOLt4C1Sa3EsfMsWv8Olav2rms0=PRX....
[Tue Mar 08 11:33:16.557177 2022] [auth_openidc:debug] [pid 9671:tid 140199300376320] src/util.c(1226): oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Tue Mar 08 11:33:16.557218 2022] [auth_openidc:debug] [pid 9671:tid 140199300376320] src/util.c(1388): oidc_util_request_matches_url: comparing "/redirect_uri"=="/redirect_uri"
[Tue Mar 08 11:33:16.557278 2022] [auth_openidc:debug] [pid 9671:tid 140199300376320] src/proto.c(2481): oidc_proto_javascript_implicit: enter
[Tue Mar 08 11:33:16.557374 2022] [authz_core:debug] [pid 9671:tid 140199300376320] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : granted
[Tue Mar 08 11:33:16.557437 2022] [authz_core:debug] [pid 9671:tid 140199300376320] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: granted
[Tue Mar 08 11:33:16.557524 2022] [authz_core:debug] [pid 9671:tid 140199300376320] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Mar 08 11:33:16.557609 2022] [authz_core:debug] [pid 9671:tid 140199300376320] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

The Apache config is (with redactions):

<VirtualHost *:443>
        OIDCProviderMetadataURL xxxx
        OIDCClientID xxxxx
        OIDCClientSecret 'xxxx'

        OIDCScope "openid name email"
        OIDCRedirectURI xxxx
        OIDCCryptoPassphrase xxxx

        <Location />
           AuthType openid-connect
           Require valid-user
           LogLevel debug
        </Location>

        SSLEngine On
        ServerName xxxx
        Header always set Strict-Transport-Security "max-age=31536000;
        Header always set X-Frame-Options: DENY
        RewriteEngine On
        RewriteCond %{REQUEST_URI}  ^/socket.io        [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)       ws://127.0.0.1:9001/$1 [P,L]

        ProxyVia On
        ProxyRequests Off
        ProxyAddHeaders On
        ProxyPass / http://127.0.0.1:9001/
        ProxyPassReverse / http://127.0.0.1:9001/
        RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}]
        RequestHeader set Proxy-User %{PROXY_USER}e

        # By default Apache times out connections after one minute
        # Change it to 1 day
        ProxyTimeout 86400
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ErrorLog xxxx
        CustomLog xxxx
        SSLCertificateFile      xxxx
        SSLCertificateKeyFile   xxxx
        SSLCertificateChainFile xxxx
</VirtualHost>

I'm not sure why it is reporting "no authenticated user yet".

I'm not sure why it is looping, posting to the redirect_uri over and over again.

I did experiment with OIDCUnAuthAction and OIDCUnAutzAction but couldn't find values that would result in the user trying to authenticate with Auth0 and then, if they aren't allowed access, refuse access.

[zandbelt]

I'd need to see the full debug log and the version of the module used to analyze.

[pcolmer]

I think I've solved this; I think that the root problem was that:

RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER}]
RequestHeader set Proxy-User %{PROXY_USER}e

wasn't setting Proxy-User to a usable value. I've now switched to using OIDCRemoteUserClaim email and configured the underlying software to use REMOTE_USER rather than Proxy-User. That seems to be getting me further, although the underlying software is still giving me problems. I am, however, happy that I've got a working configuration as far as mod_auth_openidc is concerned.