Extra query parameter in ADFS Implicit authorization response results in "invalid request"

[trantor]

Hello everyone.

I am setting up OIDC authentication against an AD FS system handled by a third party.
Apparently the redirection after a successful authentication on AD FS adds a client-request-id query parameter which is unexpected and results in logs such as the following and a failed authentication overall.

oidc_handle_redirect_uri_request: The OpenID Connect callback URL received an invalid request: client-request-id=86810e18-2dda-40ef-bc05-0080000000ff; returning HTTP_INTERNAL_SERVER_ERROR

I've noticed somebody reporting a similar problem, although apparently with SAML.

Since I have little hope in having this fixed this on the AD FS side, is there a way to ignore/remove certain query parameters from the redirected call? I am not sure whether this can be achieved via processing through Apache, but I have the feeling that the authentication module might process the request before going through other modules.

Thanks in advance

[zandbelt]

if it were just an additional parameter on a regular authorization response, it would just be ignored; however this does not seem to be a "normal" authorization response that contains code and `state parameters; please follow https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-Active-Directory-Authentication

[trantor]

I don't see any difference of note between my configuration and that mentioned in the wiki.

  OIDCProviderMetadataURL "https://PROVIDER/adfs/.well-known/openid-configuration"
  OIDCRedirectURI "https://FQDN/secure/redirect_uri"
  OIDCClientID "WHATEVER"
  OIDCClientSecret "WHATEVER"
  OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
  OIDCRemoteUserClaim "upn"
  OIDCResponseType "id_token"
  OIDCXForwardedHeaders X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
  OIDCDefaultURL "https://FQDN"
  OIDCCookieSameSite On
  OIDCStateInputHeaders none
  OIDCSessionInactivityTimeout 43200
  OIDCSessionMaxDuration 43200

I already used a similar configuration before with an Azure AD tenant without issues.
The all-caps strings are placeholders for the actual strings.

[trantor]

The URL I get is, for instance,

https://FQDN/secure/redirect_uri?client-request-id=29bf3a90-fae1-4115-b505-0080000000ff#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJ[...]

[zandbelt]

remove OIDCResponseType "id_token"

[trantor]

@zandbelt thank you a bunch :D

[zandbelt]

technically mod_auth_openidc could/may handle this better, but it would result in either an ADFS specific fix, or assuming that every "unknown request" to the redirect URI is an Implicit grant response, which is not great either; since Implicit is deprecated and should not be used for web clients like mod_auth_openidc, I prefer to leave things as it is and have this Discussion for future reference