Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: OIDC fallback authenticaion |
|
| Author |
|
ApacheUser1212123
Joined: 22 Feb 2021
Posts: 7
|
 Posted: Mon 21 Jun '21 17:48 Post subject: OIDC fallback authenticaion |
 |
|
Hey,
I'm trying to configure my apache httpd to oidc authentication, which works good. But I ran into an issue trying to allow request to pass even if the authentication failed.
I have simple OIDC configuration looking like that:
| Code: |
<Location /my_routr/>
AuthType openid-connect
Require valid-user
Set some headers
ProxyPass my_server
</Location>
|
I'm trying to make httpd try to authenticate using oidc and use the result as headers, but if the oidc authentication failed, to pass the request anyway without the headers.
Is there a way to do that?
Thanks. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Mon 21 Jun '21 21:28 Post subject: |
|
|
Tricky; authenticated and unauthenticated.
You could try using a <RequireAny> block directive to allow more than one class of user within your location block, viz:
| Code: | <RequireAny>
Require valid-user
Require all granted
</RequireAny> |
Then, since the OIDC module should set REMOTE_USER to something for valid users, you might be able to use RequestHeader directives to conditionally set additional headers for them, viz:
| Code: | | RequestHeader set SomeHeader SomeValue expr=%{REMOTE_USER} |
(Check the RequestHeader syntax here https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader)
Unfortunately, you can't use <If> block directives to check for %{REMOTE_USER}, since they get evaluated before the authentication modules run.
I've not tried this, so let us know if it works as you want. |
|
| Back to top |
|
ApacheUser1212123
Joined: 22 Feb 2021
Posts: 7
|
| Posted: Tue 22 Jun '21 9:07 Post subject: |
|
|
Do you mean it should look like this:
| Code: |
<LocationMatch "/route">
<RequireAny>
Require valid-user
Require all granted
</RequireAny>
RequestHeader set SomeHeader SomeValue expr=%{REMOTE_USER}
ProxyPass ...
</LocationMatch>
|
?
This didn't work. I keep getting "forbidden 403", it looks like it's still trying to go through OIDC |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Tue 22 Jun '21 21:08 Post subject: |
|
|
Hmm - I would have expected that to work, since <RequireAny> should succeed if any of the enclosed Require directives do.
Is it any different if you reverse the order of the two Require directives (even though that should make no difference)?
Also, does your configuration have any authorization logic for preceeding parts of the site (<Directory> or <Location> entries), in which case the AuthMerging directive might be relevant.
This issue might be down to some AUTHZ vagary of the OIDC module, but maybe juggling the order of parts of your configuration may help.
Sorry, I can't think of anything else over this problem. |
|
| Back to top |
|
|
|
|
|
|
