I am trying to protect 'content' folder served by Apache/2.2.22 (Ubuntu). Here is my config entry

    OIDCProviderMetadataURL http://192.168.1.11:8080/openid-connect-server-webapp/.well-known/openid-configuration
    OIDCCryptoPassphrase helloworld
    OIDCRedirectURI http://192.168.1.11:100/content/redirect_uri
    OIDCScope "openid email profile"
    #OIDCCookiePath /
    #OIDCCookieDomain 192.168.1.11

    OIDCClientID xxxxxxxx
    OIDCClientSecret xxxxxxxxxxxxxxxxx

    <Location /content>
       AuthType openid-connect
       Require claim preferred_username:guest
    </Location>

As you can see my OP is running on Tomcat on the same server.

When I access http://192.168.1.11:100/content/user/index.html I get the following error on the browser

HTTP Status 404 - /openid-connect-server-webapp/oauth/error

However if the redirect_uri is not under "/content" say "/redirect_uri" all URL's referring to "/content/**" get redirected to /redirect_uri/index.html

I am not able to make this work, any help is appreciated.

thanks,
Karunakar

Produce x86_64 packages for the most popular Ubuntu LTS releases. It's totally unreasonable only to support bleeding-edge distributions.

See: https://code.google.com/p/pingfederate/issues/list

On my system, stock rhel, the call to ap_get_remote_host in oidc_get_browser_state_hash sometimes returns a name and sometimes a number. Don't know why but I had to disable that part of the hash.

Hi,

i am trying to install this module on debian 7. i have one OP (Gluu server), and a client apache with mod_auth_openidc.
When i try to test openid connect authentication, i get the redirection form the client to the OP, and then form the OP to the client after the authentication. I get this errors:

Error: The OpenID Connect Provider returned an error: Error in handling response type.

in apache i get these errors:

[Thu Feb 26 12:47:44 2015] [error] [client 192.168.253.17] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_client"", referer: https://alaska.aduneo.com/oxauth/login?scope=openid&response_type=code&nonce=QezaEtaxvLdZcB3pAHSvzDf9vg5rkPWsRA2kxwN9feY&redirect_uri=https%3A%2F%2Fnewyork.aduneo.com%2Fprotected%2F&state=_3tSS-kt7KEsz6Unm-Y1tsZEY2s&client_id=%40%2100EB.2A19.32E4.4E23%210001%215A40.2DD3%210008%2145B9.D59A
[Thu Feb 26 12:47:44 2015] [error] [client 192.168.253.17] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."", referer: https://alaska.aduneo.com/oxauth/login?scope=openid&response_type=code&nonce=QezaEtaxvLdZcB3pAHSvzDf9vg5rkPWsRA2kxwN9feY&redirect_uri=https%3A%2F%2Fnewyork.aduneo.com%2Fprotected%2F&state=_3tSS-kt7KEsz6Unm-Y1tsZEY2s&client_id=%40%2100EB.2A19.32E4.4E23%210001%215A40.2DD3%210008%2145B9.D59A
[Thu Feb 26 12:47:44 2015] [error] [client 192.168.253.17] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: https://alaska.aduneo.com/oxauth/login?scope=openid&response_type=code&nonce=QezaEtaxvLdZcB3pAHSvzDf9vg5rkPWsRA2kxwN9feY&redirect_uri=https%3A%2F%2Fnewyork.aduneo.com%2Fprotected%2F&state=_3tSS-kt7KEsz6Unm-Y1tsZEY2s&client_id=%40%2100EB.2A19.32E4.4E23%210001%215A40.2DD3%210008%2145B9.D59A

the content of auth_openidc.conf:

OIDCRedirectURI https://newyork.aduneo.com/protected/
OIDCCryptoPassphrase password
OIDCProviderMetadataURL https://alaska.aduneo.com/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID @!00EB.2A19.32E4.4E23!0001!5A40.2DD3!0008!45B9.D59A
OIDCClientSecret 5nz4TtA2L/XrFjzfoPt4XA==
OIDCClientName newyork

<Location /protected/>
   AuthType openid-connect
   Require valid-user
</Location>

can you give me a hint please?

Thank you very much

According to the memcached wiki page using memcached is not recommended for sessions. I was wondering if it is possible to add support for a Redis option for saving sessions?

I wrote small chef recipe to switch our internal services from openid 2.0 to openid connect, I left configuration in separate conf.d/mod_auth_openidc.conf file and just add the following lines to enable authentication where I need it:

OIDCRedirectURI https://subdomain.mydomain.com/
OIDCCookieDomain subdomain.mydomain.com
<Location "/">
    Satisfy all
    AuthType openid-connect
    Require claim hd:mydomain.com
</Location>

however when I used it with VirtualHost that had SSLProxyEngine On I noticed of infinite redirect loop that leads to 7-15 session cookies and results in Bad Request. Actually it was not a big problem for me, I found that we don't need SSLProxyEngine here, however I think it can be helpful info to improve your great module.

Thank you for maintaining it, it saved me lot of time.

I'm getting this when trying to install on debian 7

:~# sudo dpkg -i libapache2-mod-auth-openidc_1.5.3-1_amd64.deb
Selecting previously unselected package libapache2-mod-auth-openidc.
(Reading database ... 26986 files and directories currently installed.)
Unpacking libapache2-mod-auth-openidc (from libapache2-mod-auth-openidc_1.5.3-1_amd64.deb) ...
dpkg: warning: unable to delete old directory '/etc/apache2/conf-available': Directory not empty
dpkg: dependency problems prevent configuration of libapache2-mod-auth-openidc:
 libapache2-mod-auth-openidc depends on libc6 (>= 2.14); however:
  Version of libc6:amd64 on system is 2.13-38+deb7u3.
 libapache2-mod-auth-openidc depends on apache2-api-20120211; however:
  Package apache2-api-20120211 is not installed.

dpkg: error processing libapache2-mod-auth-openidc (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 libapache2-mod-auth-openidc

This is a fresh Debian 7, and I can't get to install those deps apache2-api-20120211 and libc6 (>= 2.14)

Any hint appreciated.

Thanks,
Matias

Attempting to use MS Live. In its authorization response I get an access_token but no id_token. I do get a "user_id" string.

When using Apache worker MPM there appears to be an issue with file locking when using the file storage caching backend (OIDCCacheType file), similar to the one reported for mod_auth_cas here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752872

Although this is a bug in libapr1, a workaround in mod_auth_openidc may be considered.

Apparently switching from fcntl to flock could solve it as mod_auth_cas did here:
apereo/mod_auth_cas@50663b5#diff-b823cf0e10152100b941acd0fb5838a8R55 but that would also mean losing support for NFS.

I'm thinking a configuration option for the locking mechanism to use is a possible way forward. I'd be interested to hear opinions and actual experience with this issue.

The recommendation for now is to use Apache prefork MPM when using the file storage caching backend, or use a different caching backend (OIDCCacheType [shm | memcache]) if you want to use the worker MPM.

Occasionally, the state cookie might get scoped to the wrong path, leading to errors like this when the authentication provider redirects the user to https://REDACTED/oauth2callback:

[Thu Aug 14 05:43:48 2014] [error] [client 10.1.2.3] oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found, referer: https://REDACTED/
[Thu Aug 14 05:43:48 2014] [error] [client 10.1.2.3] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response, referer: https://REDACTED/
[Thu Aug 14 05:43:48 2014] [error] [client 10.1.2.3] oidc_authorization_response_match_state: unable to restore state, referer: https://REDACTED/

To fix this, the user must delete all mod_auth_openidc_state cookies associated with the Host in his/her browser and reload the site.

I'm still trying to trace down the exact cause, but it seems like the module sometimes isn't issuing a state cookie that's root-scoped even though our AuthType openid-connect and Require valid-user directives are bound to <Location />.

I have the following configuration:

<VirtualHost *:80>

   # ....

    Redirect permanent / ${BaseUrl}

   # ...

</VirtualHost>

And then I have:

OIDCRedirectURI ${BaseUrl}/${ClassName}/redirect

Essentially, I am redirecting all http traffic to https.

When a user accesses the site on http, if they are not authenticated they are first asked to authenticate. After this they are redirected to http which then is redirected to https and a 500 internal service error is generated.

If the user connects directly to https://url-to-page/ initially, the process works fine. Is it possible to configure the protocol to first apply redirects before checking for authentication?

Thanks!

Hi,

I have some problems to use your apache module with Google provider.

I am using Ubuntu 14.04 and libapache2-mod-auth-openidc_1.4_amd64.deb

I enabled auth_openidc.load and auth_openidc.conf (withour modification).

I added the following lines in my apache conf :

OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs

OIDCClientID 964313367974-j3d4b43j1vjuoa01dv06bt9nrpl5g7ek.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXX

OIDCScope "openid email profile"
OIDCRedirectURI http://exemple.com/exemple/callback/
OIDCCryptoPassphrase blabla
OIDCCookiePath /
<Location /exemple/>
   AuthType openid-connect
   Require valid-user
</Location>
</VirtualHost>

I have an error 500 and these lines in my error log :

oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found
oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response
oidc_authorization_response_match_state: unable to restore state

Can you see what happend ?

Thanks,
Fred

This could be an issue with my configuration

I am attempting to configure google as the OIDC provider. Using the 1.2 release on Ubuntu 14.04.

It kind of works, but has odd behaviour:

• open https://www.example.com:1443/example
• Get redirected to google, go through the consent dance..
• Get redirected back to https://www.example.com:1443/example/redirect_uri

It simply hangs at this point - on both firefox and chrome.

However - if I let it timeout, and then reload the /example page - it comes up OK!, and I can see that the oidc cookie is set.

I tried fiddling with the redirect url (/redirect_uri with and without trailing /) but that did not make a difference. So it appears that the odic module processes the assertion OK from google- but gets hung up trying to redirect back the original URL.

Here is my config

OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs

OIDCClientID 431631896232-kdioacia46qnhv0uvp8rfh6es9t6rbp5.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXXXX

OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/example/redirect_uri
OIDCCryptoPassphrase password

<Location /example/>
Authtype openid-connect
require valid-user

Description of Feature Request

We operate Apache behind a load balancer that performs SSL decryption. The traffic reaches Apache unencrypted on port 80. As configured, a request of https://host.mydomain.com/protected/ is ultimately redirected to http://host.mydomain.com/protected/. Given that the mod_auth_openidc_session cookie is only sent over a secure connection, the cookie is not sent - resulting in a redirect loop.

Request

We'd like to request that the scheme be exposed as a value - it appears that the scheme is assumed based on initial request. Perhaps as OIDCCurrentURLScheme.

Current Behavior

1. The request to the client containing the token (code) is placed at https://myhost.mydomain.com/protected/oauth2callback/?state=code=&authuser=&num_sessions=&session_state=&prompt=none
2. This request returns a 302 to http://myhost.mydomain.com/protected/initial_document.html. Note that no cookie is sent.
3. http://myhost.mydomain.com/protected/initial_document.html does not allow access and redirects to OIDCProviderAuthorizationEndpoint.

Testing

The method we used to test this is described below:

1. Tested using FireFox 29.0.1 on OS X.
2. Visit protected URL. https://myhost.mydomain.com/protected
3. Ensure Google Authentication occurs and cookies are set.
4. Redirect loop occurs.
5. Use Cookie Manager tool (CookiesManager+) to set cookie mod_auth_openidc_session to "Send For: any type of connection"
6. Access site at http://myhost.mydomain.com/protected

Workaround (for others with similar problem)

• Perform decryption on server as opposed to load balancer.
• Add an additional Apache redirect.

User authentication and authorization (via claims) are perfectly working. But I can see these messages in Apache error.log:

oidc_authz_get_claims_and_idtoken: could not restore id_token from request state: wrong arguments

I'm not able to track down the cause. I just can see that the id_token JSON is (null).
Do you have any ideas how to track it down or fix it?

I don't see any .spec file for building the RPM package, is it possible to provide this upstream without having to maintain my own?

Or are you using alien for converting from deb to rpm or something like that?

I found a bug in JSON decoder. When JSON data contains an unicode character (e.g., "Martin \u0160rom") the decoding fails.

In my case the unicode characters are in JSON returned by UserInfo endpoint. The user attributes like first name, last name, organization, etc. can contain special characters.

The library https://github.com/moriyoshi/apr-json which is used as JSON decoder is not reliable. I would suggest to use another library (e.g., http://www.digip.org/jansson/). List of all available JSON libraries for C can be found here: http://www.json.org/.

Here is patch for current version of JSON decoder to properly parse unicode characters:

diff --git a/src/json/apr_json_decode.c b/src/json/apr_json_decode.c
index a03f372..3bd8682 100644
--- a/src/json/apr_json_decode.c
+++ b/src/json/apr_json_decode.c
@@ -98,7 +98,7 @@ static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_st
                 }
                 p += 5;
                 string.len += 4; /* an UTF-8 character spans at most 4 bytes */
-                break;
+                // confinue consuming characters after "\uXXXX"
             } else {
                 string.len++;
                 p++;
@@ -127,8 +127,10 @@ static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_st
             case 'u':
                 /* THIS IS REQUIRED TO BE A 4 DIGIT HEX NUMBER */
                 {
+                    p++; // hex digits start after the 'u' character
+                    int i = 0; // number of digits already parsed (cannot exceed 4)
                     int cp = 0;
-                    while (p < e) {
+                    while (p < e && i < 4) {
                         int d = hex_to_int(*p);
                         if (d < 0) {
                             status = APR_EGENERAL;
@@ -136,6 +138,7 @@ static apr_status_t apr_json_decode_string(apr_json_scanner_t *self, apr_json_st
                         }
                         cp = (cp << 4) | d;
                         p++;
+                        i++;
                     }
                     if (cp >= 0xd800 && cp < 0xdc00) {
                         /* surrogate pair */

Martin

The instructions in INSTALL say to run ./configure but no such script exists in the distribution.

In order to migrate from Google OpenID 2.0 to Google OAuth2/OIDC, Google provides a mechanism for getting BOTH OpenID 2.0 identifier AND Google OIDC identifier for a user. The process is documented at https://developers.google.com/accounts/docs/OpenID#adjust-uri .

Basically, the initial authentication request URI can contain an additional parameter "openid.realm=https://..." This results in eventually returning a new "openid_id" field that contains the Google OpenID 2.0 identifier. By matching this against the "sub" field (the OIDC identifier), sites can migrate users from old OpenID 2.0 ids to new OIDC ids.

It would be really helpful if the configuration file could support something like "OIDCOpenIDRealm=https://...", then the code could get the openid_id and put it in the HTTP session headers.

I install openidc on apache2.4 and see this error:

Syntax error on line 1 of /etc/apache2/mods-enabled/auth_openidc.load: Cannot load /usr/lib/apache2/modules/mod_auth_openidc.so into server: /usr/lib/apache2/modules/mod_auth_openidc.so: undefined symbol: ap_requires
Action 'configtest' failed.

As noted at http://httpd.apache.org/docs/current/developer/new_api_2_4.html, ap_requires was removed in apache2.4.

Can you add support for apache2.4?
Thanks.

Hello,

I use mod_auth_openidc on an Apache RP to secure access to the backend web server.
I would like to make 2 verifications :

1. Verify that the people who connects through openidc comes from my domain.com
2. Verify that the people who connects through openidc is a member of a group of my LDAP

I know how to verify 1. or 2., but cannot verify 1. and 2.

Here is a part of my vhost:

<Location />
 AuthType openid-connect
 Require claim hd:domain.com

  AuthLDAPURL "ldap://ldap.domain.com:389/ou=Users,o=domain?mail?sub?(objectClass=person)(ISstatus=Active)"
  Require ldap-group cn=Group,ou=Applications,o=domain   

  Satisfy All
</Location>

When I set Require claim hd:domain.com there is NO LDAP request...
If I set Require valid-user instead of Require claim hd:domain.com, the LDAP verification is working.

If someone could help me with this ...

I am testing mod_auth_openidc in my local machine. I keep getting this error when retrieving the token

[auth_openidc:error] [pid 468628:tid 2900] [client 127.0.0.1:52791] oidc_util_http_call: curl_easy_perform() failed on: https://localhost/auth/oidc/token (SSL certificate problem: self signed certificate)
[auth_openidc:warn] [pid 468628:tid 2900] [client 127.0.0.1:52791] oidc_proto_token_endpoint_request: error when calling the token endpoint (https://localhost/auth/v3/oidc/token)

Not sure if it is a real issue or some extra flag I need to set in http.conf

I am using mod_ssl and the following configs in the http.conf for mod_auth_openidc

  OIDCClientID mnWfbpfbOroRlOg1qlv49eN5jBMa
OIDCClientSecret V1H9N67jSwiw0SvEl3eTzTgHH84a
OIDCCryptoPassphrase Somepass
OIDCRedirectURI http://localhost/oidc/redirect_uri
OIDCProviderAuthorizationEndpoint https://localhost/auth/oidc/auth
OIDCProviderTokenEndpoint  https://localhost/auth/oidc/token

OIDCProviderIssuer localhost/auth/oidc/auth
<Location "/oidc/">
    AuthType openid-connect
    Require valid-user
</Location>

Greetings!

Thanks for you work on this project. At my company, we have successfully integrated and deployed this module in front of a number of our services, including: MediaWiki, Graphite, etc.

I am currently running into an issue with Cacti integration. Whenever I hit a the callback URL from our openidc provider immediately following a sign in, I get an Apache 500 page. On any subsequent request to a different Cacti URL ('/' for example), the authentication works as expected.

For the error case, the Apache error logs show the following messages:

[Mon Sep 15 21:16:35.077896 2014] [auth_openidc:error] [pid 20421] [client 111.111.111.111:52153] oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found, referer: https://[our_auth_host]/users/sign_in
[Mon Sep 15 21:16:35.077919 2014] [auth_openidc:error] [pid 20421] [client 111.111.111.111:52153] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response, referer: https://[our_auth_host]/users/sign_in
[Mon Sep 15 21:16:35.077924 2014] [auth_openidc:error] [pid 20421] [client 111.111.111.111:52153] oidc_authorization_response_match_state: unable to restore state, referer: https://[our_auth_host]/users/sign_in

From these log messages, It would appear that the mod_auth_openidc_state cookie value is NULL:

https://github.com/pingidentity/mod_auth_openidc/blob/39b3a45d25118995a9730f56ff671c6137d76737/src/mod_auth_openidc.c#L409

However, the request to our callback URL DOES contains that cookie:

GET https://[our_cacti_host]/auth/callback?code=7f5acd7beff06412d4fed708fcff8881660924fab2118944e805089bdc0a82ed&state=8cQqWbYv8cl7YpoJInm2Uyj13dM%3D

mod_auth_openidc_state  GpH9kLcPz2LDwPAk4vgQkNgfDR16yM28RkGCc7y7jGzfN546QJsLcFxo-5bZOcRFDUhc1O9TjaXpyPfHCbdCLqxVmt6LIPuKnLdXfwv9fSsIFkq0DP4j8uQ1dcySAgtTo9NhnlmAAZKuOmnQGTuoxB-Tjh4YZFNFVlUkQUYcMiaTsyl6GVvSjzGVwZcszH7qNa5Us4Ovg58nt_lJZXIJ0nRj44ekbzqbngfhSHWLS1Z3M6XTwBRFq8vpQOzURl5gPe1mVnth_Ts3lNiyoJaZe2prgdJj0IP_MqAcAw8AucY47rVXj0y2fYwKeKPOmh--5Y1-RO6gSnwpAoNyaGF6pg

Versions:
Apache Version: Apache/2.4.7 (Ubuntu)
Cacti Version: 0.8.8b

Resolution:
After we receive this error, we can hit any other page on our Cacti server, for example:

GET https://[our_cacti_host]/

.. and we get authenticated correctly (the correct REMOTE_USER environment variable gets passed to Cacti, etc). The 'mod_auth_openidc_state' cookie metadata for the success case is identical to the 'mod_auth_openidc_state' cookie metadata for the failure case (domain, path, expires all show up as 'N/A' in chrome).

Does this issue sound like a misconfiguration problem? Is this something that you've experienced before? Any help would be appreciated. Thanks!

Managed to get to the old repo by following your tweet: https://twitter.com/hanszandbelt/status/421275024931028992 and then wasn't sure about adopting this because it felt unmaintained... I suddenly wonder if Twitter lets you update tweets ;-) This repo is definitely worth trying and/or contributing to.

So I have several Debian machines with an identical config and REMOTE_USER gets set to the user's email (the user's email will never be null either) but on a Scientific Linux box REMOTE_USER seems to be the default sub@issuer

        OIDCProviderIssuer provider.com
        OIDCProviderAuthorizationEndpoint https://provider.com/oauth/userinfo
        OIDCProviderTokenEndpoint https://provider.com/oauth/userinfo
        OIDCProviderUserInfoEndpoint https://provider.com/oauth/userinfo

        OIDCClientID some_long_string
        OIDCClientSecret some_long_string

        OIDCScope "openid" 
        OIDCRedirectURI https://client.com/redirect_uri

        OIDCCryptoPassphrase a-cool-password

        OIDCOAuthRemoteUserClaim email

        <Directory /var/www/html/thevault/>
            AuthType openid-connect
            Require claim staff_flag:true
        </Directory>

1. I'm using a centos 7 box (using vagrant & chef)
2. installing apache2.
3. Install dependencies (hiredis, jansson)
4. install mod_auth_openidc from rpm.
5. restart apache, which fails.

I get this error message from "systemctl status httpd.service"
httpd: Syntax error on line 123 of /etc/httpd/conf/httpd.conf: Syntax error on line 55 of /etc/httpd/mods-enabled/mod_auth_openidc.conf: </IfModule> without matching <IfModule> section

What do I do different to the .conf file so it is read properly by apache?

Hi,

Is it possible to add an option in order to set httponly flag to true ?
https://www.owasp.org/index.php/HttpOnly

Thanks,
Regards,
Frédéric

root@myhost:/tmp# ipcs -s

------ Semaphore Arrays --------
key semid owner perms nsems
0x002fa327 0 root 666 2
0x00000000 6619137 www-data 600 1
0x00000000 6651906 www-data 600 1
0x00000000 6684675 www-data 600 1
0x00000000 6717444 www-data 600 1

root@myhost:/tmp# /etc/init.d/apache2 reload

• Reloading web server apache2
  *
  root@myhost:/tmp# /etc/init.d/apache2 reload
• Reloading web server apache2
  ^[[A *
  root@myhost:/tmp# /etc/init.d/apache2 reload
• Reloading web server apache2
  *
  root@myhost:/tmp# /etc/init.d/apache2 reload
• Reloading web server apache2
  *
  root@myhost:/tmp# ipcs -s

------ Semaphore Arrays --------
key semid owner perms nsems
0x002fa327 0 root 666 2
0x00000000 6619137 www-data 600 1
0x00000000 6651906 www-data 600 1
0x00000000 6684675 www-data 600 1
0x00000000 6750212 www-data 600 1
0x00000000 6782981 www-data 600 1
0x00000000 6815750 www-data 600 1
0x00000000 6881287 www-data 600 1
0x00000000 6914056 www-data 600 1
0x00000000 6946825 www-data 600 1
0x00000000 6979594 www-data 600 1

Once the semaphore limit is hit, apache dies.

test code 'test_jwt_decryption' fails on big endian architectures (mips, powerpc, sparc):

| `/usr/bin/apxs2 -q CC`  -DLINUX -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/usr/include/apr-1.0   -Isrc -o test/test test/*.c src/jose/apr_jwt.c src/jose/apr_jwk.c src/jose/apr_jws.c src/jose/apr_jwe.c -lapr-1 -laprutil-1 -lldap -llber  -lssl -lcrypto  -ljansson 
| test/test
| Failed:  # test_jwt_decryption: error in apr_jwe_decrypt_jwt: result "0" != expected "1"
| make[1]: *** [test] Error 1 

When claim used for authorization has integer value an infinite loop takes place.

Here is a fix for infinite loop (remove the continue statements) and handle integer values:

diff --git a/src/authz.c b/src/authz.c
index de85af9..fc71121 100644
--- a/src/authz.c
+++ b/src/authz.c
@@ -99,7 +99,14 @@ static apr_byte_t oidc_authz_match_claim(request_rec *r,
                                        return TRUE;
                                }

-                               /* see if it is a boolean and it (case-insensitively) matches the Require'd value */
+                       /* see if it is a integer and it equals the Require'd value */
+                       } else if (json_is_integer(val)) {
+
+                                if (json_integer_value(val) == atoi(spec_c)) {
+                                        return TRUE;
+                                }
+
+                       /* see if it is a boolean and it (case-insensitively) matches the Require'd value */
                        } else if (json_is_boolean(val)) {

                                if (apr_strnatcmp(json_is_true(val) ? "true" : "false", spec_c)
@@ -139,7 +146,7 @@ static apr_byte_t oidc_authz_match_claim(request_rec *r,
                                                ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
                                                                "oidc_authz_match_claim: unhandled in-array JSON object type [%d] for key \"%s\"",
                                                                elem->type, (const char *) key);
-                                               continue;
                                        }
                                }

@@ -147,7 +154,7 @@ static apr_byte_t oidc_authz_match_claim(request_rec *r,
                                ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
                                                "oidc_authz_match_claim: unhandled JSON object type [%d] for key \"%s\"",
                                                val->type, (const char *) key);
-                               continue;
                        }

                }

The documentation of the module should be sharpened with respect to OAuth2.

There is a part that says that the module always acts as a resource server in an OAuth2 context, the actual resources being served from an underlying system proxied by this apache module. Therefore the module supports token validation via an endpoint. So far, so good, but:

• How would an abstract integration szenario look like?
• How would a typical integration scenario look like?
• What are the supported OAuth2 grant types?
• What would be the prerequisites that provider and client must fulfill for the integration to work?
• Does the module support other steps in either grant type, such as redirecting a client to an authorization server (i.e. a login page)?

in apache config:

OIDCIDTokenSignedResponseAlg HS512

in apache error logs:

oidc_set_url_slot_type: configuration value 'HS512' could not be parsed as a URL (no scheme set)!

tried my best to make a sensible topic/subject

Can we get an option over overriding the port so it hits varnish and routes correctly?

Ie, apache config:

<Location /foo>
AuthType openid-connect
....

<Location /outh_callback>
AuthType openid-connect

required for the callback from accounts.google.com/o/oauth2 ..

So when trying to access /foo, you get bounced to accounts.google.com , back to the /oauth_callback, but then it tries to redirect you back to /foo and it is here the problem happens.

When it tries to redirect you back to /foo, it seems to pick up the vhost port defined in the vhost configuration.

This isn't necessary correct when we have varnish in front, and the vhost port defined in the apache configuration isn't accessible from the outside.

Produce packages for RHEL/CentOS 6 and 7. (6 probably deserves higher priority as 7 was just released.)

We set up an OAuth/OpenID Connect server and our application authenticates users against the OAuth/OpenID Connect server. We have an Apache web server that uses mod_auth_openidc and that Apache web server serves the content to authenticated users of our application.

When a user signs off/out from the application, we want the Apache server to stop serving the content. However mod_auth_openidc cookie on the user browser is valid even after revoking the access tokens on the OAuth/OpenID connect server. Is there a way for mod_auth_openidc to support "federated sign out" or "single sing out"? Any guidance is appreciated.

By the way we use

OIDCProviderMetadataURL http://svr-IP/openid-connect-server/.well-known/openid-configuration

in our Apache configuration.

thanks,
Karunakar

The examples given in the documentation for using Google Apps domain accounts are incorrect, which took me quite a bit of googling/searching to correct. The example states the following is required:
OIDCScope "openid profile"
Require claim hd:<your-domain>

However, the hd claim is only returned if you ask for e-mail according too Google's documentation: https://developers.google.com/+/api/openidconnect/getOpenIdConnect. Hence, the correct example would be:
OIDCScope "openid email"
Require claim hd:<your-domain>

Note: I don't think profile is required for Google - or adds any value.

mod_rewrite doesn't seem to have access to REMOTE_USER.
I'm trying following config:

RewriteEngine on
RewriteCond %{LA-U:REMOTE_USER} ^$
RewriteRule ^/protect-but-dont-redir - [L,R=404]

and it always matches the condition (even when authenticated).

in libapache2-mod-auth-openidc 1.5.3-1 initial authentication doesn't work since it isn't creating the tmp files. If I go back a version, then auth, then upgrade, everything works correctly.

If a Redis server configured as a cache is configured with an idle timeout, the server might close the connection before the module communicates with it again. This is especially possible for web services that are infrequently accessed. This leads to errors that look like:

oidc_cache_redis_get: redisCommand failed, reply == NULL: 'Server closed the connection'

In such a case, the client should try to reconnect to the Redis server and reattempt the request.

I have my OIDCRedirectURI set to https://localhost/ct/redirect.

Prior to being authenticated, if I attempt to access anything within the ct/some-resource I am brought through the authentication processes which resolves successfully.

However, if I attempt to access anything within a sub-directory ct/some-sub/some-resource I am brought through the authentication process which resolves to apache serving a Internal Server Error. It should be noted that after this point, I am successfully authenticated and if I try to access the resource again, it loads fine. It is only on the initial authentication that I get the error.

I am using the release 1.5_amd64

Configuration file:

OIDCRedirectURI https://localhost/ct/redirect
OIDCCryptoPassphrase aBetterPassword
OIDCScope "email"


OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCSessionInactivityTimeout 3600

<Location /ct/ >
  Authtype openid-connect
  require valid-user
</Location>

# The default setting is to run captain-teach on port 8080
ProxyPass /ct/ http://localhost:8080/
ProxyPassReverse /ct/ http://localhost:8080/

Apache log file after attempting to access localhost/ct/review/test prior to authentication:

[Mon Jun 09 14:55:57.852746 2014] [:error] [pid 45:tid 140038161622784] [client 172.17.42.1:42470] oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found, referer: https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/ct/redirect&state=FzeknDOmfuiLbabM5XtxXIiAIWk%3D&client_id=163831924831-73u2fn1dedoholkqp1ci2qn602fjqdlf.apps.googleusercontent.com&hl=en-US&from_login=1&as=-17c181a7bb5b43f7&authuser=0
[Mon Jun 09 14:55:57.852838 2014] [:error] [pid 45:tid 140038161622784] [client 172.17.42.1:42470] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response, referer: https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/ct/redirect&state=FzeknDOmfuiLbabM5XtxXIiAIWk%3D&client_id=163831924831-73u2fn1dedoholkqp1ci2qn602fjqdlf.apps.googleusercontent.com&hl=en-US&from_login=1&as=-17c181a7bb5b43f7&authuser=0
[Mon Jun 09 14:55:57.852858 2014] [:error] [pid 45:tid 140038161622784] [client 172.17.42.1:42470] oidc_authorization_response_match_state: unable to restore state, referer: https://accounts.google.com/o/oauth2/auth?scope=email&response_type=code&redirect_uri=https://localhost/ct/redirect&state=FzeknDOmfuiLbabM5XtxXIiAIWk%3D&client_id=163831924831-73u2fn1dedoholkqp1ci2qn602fjqdlf.apps.googleusercontent.com&hl=en-US&from_login=1&as=-17c181a7bb5b43f7&authuser=0

It would allow for local validation of access tokens when a (link to) a JWK has been provided in the configuration. Test with PingFederate JWT token type. Could be used against Azure AD as well.

Hello,
to begin thank you for your excellent work on this module!

REMOTE_USER environment variable is not accessible in mod_rewrite despite the use of LA_U.
A simple exemple:
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} .+
RewriteRule . - [L,E=USEROK:1]

USEROK variable will never defined.

If i use the instructions below, i rejected despite successful authentification openidc:
Order Deny,Allow
Allow from env=USEROK
Deny from all
Satisfy All

Logs:
IP - - [03/Mar/2015:16:00:44 +0100] "GET / HTTP/1.1" 403 579 "..."
Logs without the Allow directive:
IP - USERNAME [03/Mar/2015:16:01:50 +0100] "GET / HTTP/1.1" 200 1133 "..."

There was a similar issue on mod_auth_openid: bmuller/mod_auth_openid#2

We are on Debian Wheeze (64bits), Apache 2.2 and openidc 1.7.3

After installing the deb package on my wheezy server with apache 2.4, the module fails to load:

apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/auth_openidc.load: Cannot load /usr/lib/apache2/modules/mod_auth_openidc.so into server: /usr/lib/apache2/modules/mod_auth_openidc.so: undefined symbol: ap_requires

The deb package seems to be installing the module appropriate to apache 2.2, which still has ap_requires, rather than 2.4, where that function has been removed.

REMOTE_USER gets set to the sub claim, according to spec. Falls through to other values (unique_name then email) if sub is not available.

Add a configuration option that allows the REMOTE_USER to be set to any claim that is expected to be unique (with documented warnings).

This might be a dupe of #9, but I'm seeing the following error:

[log] oidc_util_http_call: setting post parameters: grant_type=authorization_code&code=RxpQiOHaZUc2qKLd5orSVJZwFl1pLH&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fv3%2FOS-FEDERATION%2Fidentity_providers%2FBP%2Fprotocols%2Foidc%2Fauth%2Fredirect

[log] oidc_util_http_call: response=Error 401: SRVE0295E: Error reported: 401\n
[log] oidc_util_check_json_error: JSON parsing returned an error: '[' or '{' expected near 'Error'

It seems like the authorization code is returned for a token, but then the token isn't decoded: https://github.com/pingidentity/mod_auth_openidc/blob/450f2d2c5d8d118555d4688a1c9726cf132ad87c/src/proto.c#L798

I made a separate token request so I could decode it offline. The claim looks like this, and has some unicode values.

{"iss":"https://localhost:8020/oidc/v10/endpoint/OP","nonce":"m91r8M4OfmxBCOhPkd6ZpNcMQv0eCR11dx54oOzqOMk,","iat":1402500261
, "groupIds":["cn\u003dw3kmXYZGroup,ou\u003dmemberlist,o\u003dexample.com", "cn\u003dABCGroup,ou\u003dmemberlist,o\u003dexample.com"], "sub":"[email protected]","exp":1402503861,"aud":"myclientId","uniqueName":"emailaddress\[email protected],c\u003dca,ou\u003dgroups,o\u003dexample.com","at_hash":"8XkyzPeBJot5XiGeIFhXig"}

I have a page that acts as a dashboard and automatically refreshes itself every so often.

After one hour, if I have not interacted with the page, the refresh produces a 500 Internal Server Error and these messages in the Apache error log:

[Tue Apr 15 11:12:17.986216 2014] [:error] [pid 23840] [client x.x.x.x:y] oidc_check_state: no "mod_auth_openidc_state" state cookie found, referer: https://...
[Tue Apr 15 11:12:17.986295 2014] [:error] [pid 23840] [client x.x.x.x:y] oidc_authorization_response_match_state: unable to restore state, referer: https://...

If I then make the request manually it authenticates fine and continues to refresh for another hour.

What can be done to allow the refresh to work continually?

On older versions of GCC the code fails to compile with the following error:

src/metadata.c: In function 'oidc_metadata_client_get':
src/metadata.c:832:2: error: 'for' loop initial declarations are only allowed in C99 mode
src/metadata.c:832:2: note: use option -std=c99 or -std=gnu99 to compile your code
apxs:Error: Command failed with rc=65536

I added this manually to the generated Makefile as a workaround, but this should be in the CFLAGS by default.

Thanks for this great mod.
I encounter a problem with the session management, mod version 1.7.2/1.7.3.
from the wiki:

If the OP supports session management, it will automatically be used by mod_auth_openidc.

I use mod_auth_openidc to protect Zabbix，so there is no OP/RP hidden iframes. mod_auth_openidc generate new mod_auth_openidc_state_ cookie everytime page refreshes, the cookie size get larger and larger quickly, final cause 'bad request' error.

So, is there some config options to disable the session management?

Similarly to a few other posts, I can't seem to get Google working as an OpenID Connect Provider. I'm not sure what the problem is, but what I've noticed so far is that the log in screen appears when I access a URL that matches the LocationMatch value. I'm able to sign in, and delegate access, at which point, not much else happens, I'm not redirected to the original URL.

I've pasted the relevant config portion:

OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs

OIDCClientID 258901391964-urldbcgasrlmtdm03dnk59c9i9etgai0.apps.googleusercontent.com
OIDCClientSecret mysecret

OIDCScope "openid email profile"
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/redirect
OIDCCryptoPassphrase password

LocationMatch /v3/OS-FEDERATION/identity_providers/.?/protocols/.?/auth
Authtype openid-connect
require valid-user
LogLevel debug
OIDCCookie oidcstate
OIDCCookiePath /v3/
LocationMatch

And have also included the relevant logs here, with debug enabled:

[Tue Jun 10 02:09:10.312067 2014] [:debug] [pid 10714:tid 140183553177344] src/mod_auth_openidc.c(1423): [client 127.0.0.1:48926] oidc_check_user_id: incoming request: "/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/?(null)", ap_is_initial_req(r)=1
[Tue Jun 10 02:09:10.312176 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(693): [client 127.0.0.1:48926] oidc_get_cookie: returning (null)
[Tue Jun 10 02:09:10.312203 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(735): [client 127.0.0.1:48926] oidc_request_matches_url: comparing "/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/"=="/v3/OS-FEDERATION/redirect" (0)
[Tue Jun 10 02:09:10.312224 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(335): [client 127.0.0.1:48926] oidc_get_current_url: current URL 'http://localhost:5000/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/'
[Tue Jun 10 02:09:10.312236 2014] [:debug] [pid 10714:tid 140183553177344] src/mod_auth_openidc.c(1088): [client 127.0.0.1:48926] oidc_authenticate_user: entering
[Tue Jun 10 02:09:10.312357 2014] [:debug] [pid 10714:tid 140183553177344] src/util.c(652): [client 127.0.0.1:48926] oidc_util_set_cookie: adding outgoing header: Set-Cookie: mod_auth_openidc_state=4K-HtaM
ZghN62RxatGlXahl6NV7qwuyh7ndShJbL2_xgltw6oEXftsw6WW7DN3vbkm7jJe6Rl4V7tP4kgbuKRAv4RCsaLH2YIbKI5KLfMoOHdmGaVR5UtZCg8OSmj7Ge49uaZaBa0TYeDvIbOnT2nDIbK9yHkxKqEB1xrqDZGn2rH4wxuBhW3PHQ0UmzX_SVwGJM9USdsInlN8BFr3zc
Cm9jYmMKbJ0R3yIeS6wFeAzFYZbrHZf1LUR-WzQ2JOB3q2bH4clm51k76d4YKwXsLYPziKqcXBu0QqiWMTQHOpePUdlWTnacFsZgkdAB-EnoydgjRG1N7h6DexBy_HR-zyNkqcT9r5jKRVqiNBGnXnnvO68xV_jNGzqO6lQQlGF9yCsOOQzjXYUk3I5NZQqcgA,,;;Path=/v3/
[Tue Jun 10 02:09:10.312379 2014] [:debug] [pid 10714:tid 140183553177344] src/mod_auth_openidc.c(158): [client 127.0.0.1:48926] oidc_get_browser_state_hash: entering
[Tue Jun 10 02:09:10.312421 2014] [:debug] [pid 10714:tid 140183553177344] src/proto.c(120): [client 127.0.0.1:48926] oidc_proto_authorization_request: entering (issuer=accounts.google.com, redirect_uri=http://localhost:5000/v3/OS-FEDERATION/redirect, original_url=http://localhost:5000/v3/OS-FEDERATION/identity_providers/BP/protocols/oidc/auth/, state=/WB0OzAySIDTukhvi5pxTM67R6Y=, nonce=(null))
[Tue Jun 10 02:09:10.312508 2014] [:debug] [pid 10714:tid 140183553177344] src/proto.c(170): [client 127.0.0.1:48926] oidc_proto_authorization_request: adding outgoing header: Location: https://accounts.google.com/o/oauth2/auth?approval_prompt=force&response_type=code&scope=openid%20email%20profile&client_id=258901391964-urldbcgasrlmtdm03dnk59c9i9etgai0.apps.googleusercontent.com&state=%2FWB0OzAySIDTukhvi5pxTM67R6Y%3D&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fv3%2FOS-FEDERATION%2Fredirect
[Tue Jun 10 02:09:21.159834 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of Require all granted: granted
[Tue Jun 10 02:09:21.159932 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of : granted
[Tue Jun 10 02:09:21.160023 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of Require all granted: granted
[Tue Jun 10 02:09:21.160057 2014] [authz_core:debug] [pid 10714:tid 140183544784640] mod_authz_core.c(802): [client 127.0.0.1:48933] AH01626: authorization result of : granted