Access_Token & Redirect URI

[citestsco]

Hi,

I'm kinda newbie with mod_auth_openidc capabilities & operations.
I am running traefik as a reversed proxy and apache2 with mod_auth_openidc integrated with keycloak.

I want to pass the jwt token encrypted from my front end to my back end .
The issue is that everytime i try to save the ENV variable of OIDC_access_token into my custom env variable its eventually saved as NULL ... Therefor i cannot pass the ENV via the apache2 configuration file to my custom script which encrypts the JWT and saves it as a cookie.

I've tried to combine the mod_auth_openidc redirect_uri flow with a "background" redirect to my script without any success too....

The only thing that is working is to pass the OIDC ENV variables as is in a cookie without changing/saving the variables as custom
ENV vars....
I've tried to use RewriteMap in order to run a php script that will do all the process but still failed , the redirect_uri is not "touchable" in the mod_auth_openidc end flow.

Have anyone experienced this kind of problem ? .
Would appreciate for any suggestions to achieve this goal....

[zandbelt]

my guess is that you need to prefix the variable with REDIRECT_ in your scrips, see https://stackoverflow.com/questions/3050444/when-setting-environment-variables-in-apache-rewriterule-directives-what-causes

about the JWT, it seems you could use OIDCPassUserInfoAs signed_jwt https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.14.2/auth_openidc.conf#L817-L827

[citestsco]

Thanks for the fast response!.
To sign the JWT its a good idea in order to confirm the JWT is not tempered, however my need to encrypt the JWT and not only sign it.

About the issue with "copying" the OIDC_access_token value to a custom ENV variable still aint working, eventually in the end the custom ENV has no value inside... only NULL.
Tried multiple diff RewriteRules within it.
Any other suggestions maybe?

Appreciate you help!!!

[zandbelt]

the access token should be in the REDIRECT_OIDC_access_token environment variable in the script. no need for any rewrite map/rule etc.

[citestsco]

The thing is i don't access the ENV via any script , i pass the variable via apache configuration using Rewrite rules cause my frontend is react code....
This is why i need to encrypt the JWT token so i can pass it forward to the react side.
and the OIDC_access_token is always available in the ENV variables , did not experience the behavior that is explained in the article.
What i experience is the following flow:

1. User is sucessfully authenticated and mod_auth_openidc saves the JWT received from the IDP into OIDC_access_token
2. I create new custom ENV variable.
3. Saving OIDC_access_token to the custom ENV variable.
4. Presenting the custom ENV variable via cookie/header but the result is NULL.
5. running php file that prints all $_SERVER key&value pairs & custom ENV Variable but still no results , the value of the OIDC_access_token is not saved to any other ENV variable.

therefor i am trying to figure out if there is an option to add custom process to the redirect_uri process in the end of the SSO flow or somehow to pass the OIDC_access_token value forward to a script/custom ENV variable.

sorry for writing too much.

[zandbelt]

don't do that, use https://github.com/OpenIDC/mod_auth_openidc/wiki/Single-Page-Applications

[citestsco]

Thank you very much!
I'll use it.
Appreciate your help.