mod_auth_openidc discovery response is broken with matching ProxyPass enabled

Solution Unverified - Updated -

Issue

  • If a ProxyPass matches a request, it cannot receive a discovery response from mod_auth_openidc as we expect. mod_auth_openidc works if the ProxyPass is disabled. From debug logs, mod_auth_openidc defers the discovery response to be given during the handler hook:
[Thu May 18 11:46:05.017987 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(2277): [client 127.0.0.1:44966] oidc_authenticate_user: enter
[Thu May 18 11:46:05.017989 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(2288): [client 127.0.0.1:44966] oidc_authenticate_user: defer discovery to the content handler
[Thu May 18 11:46:05.017993 2023] [auth_openidc:debug] [pid 121870:tid 140413968389888] src/mod_auth_openidc.c(4045): [client 127.0.0.1:44966] oidc_authz_checker: enter: require_args="accessAllowed:true"
[Thu May 18 11:46:05.017996 2023] [authz_core:debug] [pid 121870:tid 140413968389888] mod_authz_core.c(820): [client 127.0.0.1:44966] AH01626: authorization result of Require claim accessAllowed:true: granted
[Thu May 18 11:46:05.017999 2023] [authz_core:debug] [pid 121870:tid 140413968389888] mod_authz_core.c(820): [client 127.0.0.1:44966] AH01626: authorization result of <RequireAny>: granted
  • But mod_proxy handles the request first in the hook handler phase so mod_auth_openidc does not process it:
[Thu May 18 11:46:05.018020 2023] [proxy:debug] [pid 121870:tid 140413968389888] mod_proxy.c(1265): [client 127.0.0.1:44966] AH01143: Running scheme http handler (attempt 0)
[Thu May 18 11:46:05.018024 2023] [proxy_ajp:debug] [pid 121870:tid 140413968389888] mod_proxy_ajp.c(764): [client 127.0.0.1:44966] AH00894: declining URL http://localhost/helloworld/
[Thu May 18 11:46:05.018027 2023] [proxy_fcgi:debug] [pid 121870:tid 140413968389888] mod_proxy_fcgi.c(1021): [client 127.0.0.1:44966] AH01076: url: http://localhost/helloworld/ proxyname: (null) proxyport: 0
[Thu May 18 11:46:05.018030 2023] [proxy_fcgi:debug] [pid 121870:tid 140413968389888] mod_proxy_fcgi.c(1024): [client 127.0.0.1:44966] AH01077: declining URL http://localhost/helloworld/
[Thu May 18 11:46:05.018041 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2353): AH00942: HTTP: has acquired connection for (localhost)
[Thu May 18 11:46:05.018045 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2408): [client 127.0.0.1:44966] AH00944: connecting http://localhost/helloworld/ to localhost:80
[Thu May 18 11:46:05.018204 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(2634): [client 127.0.0.1:44966] AH00947: connected /helloworld/ to localhost:80
[Thu May 18 11:46:05.018283 2023] [proxy:debug] [pid 121870:tid 140413968389888] proxy_util.c(3095): (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:80 (localhost) failed
[Thu May 18 11:46:05.018326 2023] [proxy:error] [pid 121870:tid 140413968389888] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:80 (localhost) failed
[Thu May 18 11:46:05.018333 2023] [proxy_http:error] [pid 121870:tid 140413968389888] [client 127.0.0.1:44966] AH01114: HTTP: failed to make connection to backend: localhost

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Apache httpd
  • mod_auth_openidc

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content