Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3335

mod_auth_openidc discovery response prevented by mod_proxy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-8.8.0
    • mod_auth_openidc
    • sst_idm_sssd
    • ssg_idm
    • False
    • Hide

      None

      Show
      None
    • If docs needed, set a value

      Description of problem:

      oidc_content_handler is not called to generate a discovery response if a ProxyPass matches the request.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Always with default configs loading mod_proxy before mod_auth_openidc

      Steps to Reproduce:
      1. Configure mod_auth_openidc and mod_proxy together something like below:

      OIDCMetadataDir /var/cache/httpd/mod_auth_openidc/metadata
      OIDCSSLValidateServer Off

      OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
      OIDCRedirectURI http://localhost/protected
      OIDCCryptoPassphrase somepassword
      OIDCClaimPrefix "PREFIX_"

      <Location /protected>
      AuthType openid-connect
      Require valid-user
      </Location>

      <Location /helloworld>
      OIDCDiscoverURL http://localhost/protected?iss=https%3A%2F%2Flocalhost%2F
      AuthType openid-connect
      Require claim accessAllowed:true
      ProxyPreserveHost on
      ProxyPass http://localhost:8080/helloworld disablereuse=On
      ProxyPassReverse http://localhost:8080/helloworld
      </Location>

      2. Attempt a /helloworld request

      Actual results:

      mod_auth_openidc defers the discovery response to be given during the handler hook:

      [Thu May 18 11:46:05.017987 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(2277): [client 127.0.0.1:44966] oidc_authenticate_user: enter
      [Thu May 18 11:46:05.017989 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(2288): [client 127.0.0.1:44966] oidc_authenticate_user: defer discovery to the content handler
      [Thu May 18 11:46:05.017993 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(4045): [client 127.0.0.1:44966] oidc_authz_checker: enter: require_args="accessAllowed:true"
      [Thu May 18 11:46:05.017996 2023] [authz_core:debug] [pid 121870:tid 140413968389888] mod_authz_core.c(820): [client 127.0.0.1:44966] AH01626: authorization result of Require claim accessAllowed:true: granted
      [Thu May 18 11:46:05.017999 2023] [authz_core:debug] [pid 121870:tid 140413968389888] mod_authz_core.c(820): [client 127.0.0.1:44966] AH01626: authorization result of <RequireAny>: granted

      But mod_proxy handles the request first in the hook handler phase so mod_auth_openidc does not process it:

      [Thu May 18 11:46:05.018020 2023] [proxy:debug] [pid 121870:tid 140413968389888] mod_proxy.c(1265): [client 127.0.0.1:44966] AH01143: Running scheme http handler (attempt 0)
      [Thu May 18 11:46:05.018024 2023] [proxy_ajp:debug] [pid 121870:tid 140413968389888] mod_proxy_ajp.c(764): [client 127.0.0.1:44966] AH00894: declining URL http://localhost/helloworld/
      [Thu May 18 11:46:05.018027 2023] [proxy_fcgi:debug] [pid 121870:tid 140413968389888] mod_proxy_fcgi.c(1021): [client 127.0.0.1:44966] AH01076: url: http://localhost/helloworld/ proxyname: (null) proxyport: 0
      [Thu May 18 11:46:05.018030 2023] [proxy_fcgi:debug] [pid 121870:tid 140413968389888] mod_proxy_fcgi.c(1024): [client 127.0.0.1:44966] AH01077: declining URL http://localhost/helloworld/
      [Thu May 18 11:46:05.018041 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2353): AH00942: HTTP: has acquired connection for (localhost)
      [Thu May 18 11:46:05.018045 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2408): [client 127.0.0.1:44966] AH00944: connecting http://localhost/helloworld/ to localhost:80
      [Thu May 18 11:46:05.018204 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2634): [client 127.0.0.1:44966] AH00947: connected /helloworld/ to localhost:80
      [Thu May 18 11:46:05.018283 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(3095): (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:80 (localhost) failed
      [Thu May 18 11:46:05.018326 2023] [proxy:error] [pid 121870:tid 140413968389888] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:80 (localhost) failed
      [Thu May 18 11:46:05.018333 2023] [proxy_http:error] [pid 121870:tid 140413968389888] [client 127.0.0.1:44966] AH01114: HTTP: failed to make connection to backend: localhost

      Expected results:

      discovery response comes from mod_auth_openidc in the handler hook:

      [Thu May 18 11:50:44.614402 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(626): [client 127.0.0.1:58214] oidc_get_current_url: current URL 'http://localhost/helloworld/'
      [Thu May 18 11:50:44.614404 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/mod_auth_openidc.c(2277): [client 127.0.0.1:58214] oidc_authenticate_user: enter
      [Thu May 18 11:50:44.614407 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/mod_auth_openidc.c(2288): [client 127.0.0.1:58214] oidc_authenticate_user: defer discovery to the content handler
      [Thu May 18 11:50:44.614413 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/mod_auth_openidc.c(4045): [client 127.0.0.1:58214] oidc_authz_checker: enter: require_args="accessAllowed:true"
      [Thu May 18 11:50:44.614416 2023] [authz_core:debug] [pid 122794:tid 140048650852096] mod_authz_core.c(820): [client 127.0.0.1:58214] AH01626: authorization result of Require claim accessAllowed:true: granted
      [Thu May 18 11:50:44.614418 2023] [authz_core:debug] [pid 122794:tid 140048650852096] mod_authz_core.c(820): [client 127.0.0.1:58214] AH01626: authorization result of <RequireAny>: granted
      [Thu May 18 11:50:44.614447 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(1388): [client 127.0.0.1:58214] oidc_util_request_matches_url: comparing "/helloworld/"=="/protected"
      [Thu May 18 11:50:44.614455 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/mod_auth_openidc.c(2120): [client 127.0.0.1:58214] oidc_discovery: enter
      [Thu May 18 11:50:44.614459 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(2521): [client 127.0.0.1:58214] oidc_util_hdr_in_get: Host=localhost
      [Thu May 18 11:50:44.614462 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(2521): [client 127.0.0.1:58214] oidc_util_hdr_in_get: Host=localhost
      [Thu May 18 11:50:44.614466 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(626): [client 127.0.0.1:58214] oidc_get_current_url: current URL 'http://localhost/helloworld/'
      [Thu May 18 11:50:44.614471 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/proto.c(75): [client 127.0.0.1:58214] oidc_proto_generate_random_bytes: apr_generate_random_bytes call for 8 bytes
      [Thu May 18 11:50:44.614534 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/proto.c(77): [client 127.0.0.1:58214] oidc_proto_generate_random_bytes: apr_generate_random_bytes returned
      [Thu May 18 11:50:44.614594 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/mod_auth_openidc.c(2158): [client 127.0.0.1:58214] oidc_discovery: redirecting to external discovery page: http://localhost/protected?iss=https%3A%2F%2Flocalhost%2Fauth%2Frealms%2FInternalApps&target_link_uri=http%3A%2F%2Flocalhost%2Fhelloworld%2F&method=get&oidc_callback=http%3A%2F%2Flocalhost%2Fprotected&x_csrf=HuH603-hy8w
      [Thu May 18 11:50:44.614600 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(1112): [client 127.0.0.1:58214] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
      [Thu May 18 11:50:44.614608 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(2599): [client 127.0.0.1:58214] oidc_util_hdr_err_out_add: Set-Cookie: x_csrf=HuH603-hy8w; Path=/; HttpOnly
      [Thu May 18 11:50:44.614612 2023] [auth_openidc:debug] [pid 122794:tid 140048650852096] src/util.c(2577): [client 127.0.0.1:58214] oidc_util_hdr_table_set: Location: http://localhost/protected?iss=https%3A%2F%2Flocalhost%2Fauth&target_link_uri=http%3A%2F%2Flocalhost%2Fhelloworld%2F&method=get&oidc_callback=http%3A%2F%2Flocalhost%2Fprotected&x_csrf=HuH603-hy8w

      Additional info:

      The oidc response should come from the oidc_content_handler while the proxied response would come from the proxy_handler. Checking source of these modules show the oidc_content_handler registered as APR_HOOK_FIRST:

      https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.9.4/src/config.c#L2726

      And so is the proxy_handler:

      https://github.com/apache/httpd/blob/trunk/modules/proxy/mod_proxy.c#L3463

      So a workaround is to adjust the proxy conf files so that those module files are loaded after /etc/httpd/conf.modules.d/10-auth_openidc.conf and mod_auth_openidc is then called before mod_proxy in the handler hook phase:

      $ mv /etc/httpd/conf.modules.d/00-proxy.conf /etc/httpd/conf.modules.d/20-proxy.conf
      $ mv /etc/httpd/conf.modules.d/10-proxy_h2.conf /etc/httpd/conf.modules.d/30-proxy_h2.conf

      Would we consider adjusting the order between the mod_auth_openidc and proxy conf files loading these modules? Or switching mod_auth_openidc to be earlier as APR_HOOK_REALLY_FIRST in the handler hook?

            thalman@redhat.com Tomas Halman
            rhn-support-aogburn Aaron Ogburn
            Tomas Halman Tomas Halman
            SSSD QE SSSD QE
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: