OIDC claims are not passed as headers to upstream application

[raghunath1986]

Hi Team: I have implemented apache (with mod_auth_openidc - azure ad as IDP) as reverse proxy for backend java application. I am trying to read the claims as headers in the backend application but I am not able to see the claims being passed as headers.

Below is my .conf file content

<VirtualHost *:80>
ServerName localhost
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCRedirectURI http://localhost:8550/test
OIDCCryptoPassphrase dfcvasdf12345asdfasdf09566asdfasdf
OIDCProviderMetadataURL https://login.microsoftonline.com//v2.0/.well-known/openid-configuration
OIDCScope "openid profile user.read email"
OIDCProviderAuthRequestMethod POST
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCClaimPrefix Oidc-Claim-
OIDCPassClaimsAs headers

<Location /testing>
AuthType openid-connect

Require claim email~^(.*)@.com$
Require claim email_verified:true

RequestHeader set X-Forwarded-User-Email %{REMOTE_USER}s
PassEnv OIDC_CLAIM_sub
RequestHeader set X-Forwarded-User %{OIDC_CLAIM_sub}e
ProxyPass http://localhost:8550/test
ProxyPassReverse http://localhost:8550/test
LogLevel auth_openidc:debug

could someone please guide me how to get the custom claims to appear as headers to backend app.

[zandbelt]

when inspecting the server log you can verify that headers are actually being set; I'm guessing that the applicaton at ttp://localhost:8550/test does not pickup those headers, you could use e.g. dedicated PHP page with phpinfo() to proxy to and test this

also notice that since you're using Oidc-Claim-, your headers and environment variables would look like Oidc-Claim-sub etc., so use:

RequestHeader set X-Forwarded-User %{Oidc-Claim-sub}e