Apache2 OIDC and reverse proxy for tomcat application

[aashishagarwal]

We are trying to integrate Apache2 OIDC with Forgerock .
And we have several java/.net app where requests will be proxied based on the path.

I have tried lot of things but not able to make this work. I am confused about RedirectURI, not sure what that url should be, it should HTTP header 204 (No content) or a not valid URL which doesn't exist.

My config is available below,
Apache running on 80
Tomcat running on 8080 context path /test
when I hit http://host-ip/test , it goes to forgerock and get authenticated and comes back to redirect url
request flow :

1. GET http://<host-ip>/test status code 302
2. GET http://<forgerock> with redirect uri and client id status code 302
3. After authentication at forgerock, GET - http://<host-ip>/test/callback status code 200
4. Another request, POST - http://<host-ip>/test/callback status code 500

There is no real url exist which can return 200 on http://<host-ip>/test/callback
on tomcat following paths are available : /test, /test/hello, /test/listHeaders

Apache Config

`<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
   
    LoadModule auth_openidc_module  /usr/lib/apache2/modules/mod_auth_openidc.so
    OIDCProviderMetadataURL https://<foregorck>/fgram/oauth2/.well-known/openid-configuration

    OIDCProviderJwksUri https://<foregorck>/fgram/oauth2/connect/jwk_uri
    OIDCOutgoingProxy <proxy_host:proxy_port>
    OIDCClientID <client_id>
    OIDCClientSecret <secret>
    # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
    OIDCRedirectURI http://<host-ip>/test/callback
    OIDCCryptoPassphrase secret

    OIDCScope "profile openid groups"

    <Location />
        AuthType openid-connect
        <LimitExcept OPTIONS>
            AuthType openid-connect
            Require valid-user
        </LimitExcept>
    </Location>
    <Location /test>
        AuthType openid-connect
        <LimitExcept OPTIONS>
            AuthType openid-connect
            Require valid-user
        </LimitExcept>
        ProxyPreserveHost On
        ProxyPass http://<host-ip>:8080/test/
        ProxyPassReverse http://<host-ip>:8080/test/
        LogLevel Debug
    </Location>

`

Logs

[Fri Sep 08 19:14:42.929124 2023] [auth_openidc:debug] [pid 3698019] src/util.c(1529): [client 10.79.2.126:19949] oidc_util_read_form_encoded_params: read: state=uyWkhnelk99fFnyRj9TMTRi0s, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929168 2023] [auth_openidc:debug] [pid 3698019] src/util.c(1529): [client 10.79.2.126:19949] oidc_util_read_form_encoded_params: read: token_type=Bearer, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929188 2023] [auth_openidc:debug] [pid 3698019] src/util.c(1529): [client 10.79.2.126:19949] oidc_util_read_form_encoded_params: read: expires_in=3599, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929196 2023] [auth_openidc:debug] [pid 3698019] src/util.c(1533): [client 10.79.2.126:19949] oidc_util_read_form_encoded_params: parsed: 1847 bytes into 7 elements, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929213 2023] [auth_openidc:debug] [pid 3698019] src/mod_auth_openidc.c(2036): [client 10.79.2.126:19949] oidc_handle_authorization_response: enter, response_mode=fragment, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929220 2023] [auth_openidc:debug] [pid 3698019] src/mod_auth_openidc.c(1667): [client 10.79.2.126:19949] oidc_authorization_response_match_state: enter (state=uyWkhnelk99fFnyRj9TMTRi0s), referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929226 2023] [auth_openidc:debug] [pid 3698019] src/mod_auth_openidc.c(805): [client 10.79.2.126:19949] oidc_restore_proto_state: enter, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929234 2023] [auth_openidc:debug] [pid 3698019] src/util.c(1054): [client 10.79.2.126:19949] oidc_util_get_cookie: returning "mod_auth_openidc_state_uyWkhnelk99fFnyRj9TMTRi0s" = , referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929246 2023] [auth_openidc:error] [pid 3698019] [client 10.79.2.126:19949] oidc_restore_proto_state: no "mod_auth_openidc_state_uyWkhnelk99fFnyRj9TMTRi0s" state cookie found, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929255 2023] [auth_openidc:warn] [pid 3698019] [client 10.79.2.126:19949] oidc_proto_peek_jwt_header: could not parse first element separated by "." from input, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929267 2023] [auth_openidc:debug] [pid 3698019] src/mod_auth_openidc.c(537): [client 10.79.2.126:19949] oidc_unsolicited_proto_state: enter: state header=(null), referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929354 2023] [auth_openidc:debug] [pid 3698019] src/util.c(2098): [client 10.79.2.126:19949] oidc_util_create_symmetric_key: key_len=32, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929397 2023] [auth_openidc:error] [pid 3698019] [client 10.79.2.126:19949] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:754: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781], referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929405 2023] [auth_openidc:error] [pid 3698019] [client 10.79.2.126:19949] oidc_authorization_response_match_state: unable to restore state, referer: http://10.73.101.92/test
[Fri Sep 08 19:14:42.929409 2023] [auth_openidc:error] [pid 3698019] [client 10.79.2.126:19949] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: http://10.73.101.92/test

can someone please help me to understand what's incorrect in this whole flow. What should be my redirectURI in this case.

[Rodlee955i]

You should use a URI path that does NOT contain data or is used by the users or app - e.g. /redirect_uri relative paths are accepted in the conf file.

[aashishagarwal]

what does that mean, not contain data.. what that url should return empty html with response code 200

[Rodlee955i]

I agree it sounds like it doesnt make sense but that's the way it works - see below from the auth_openidc_conf file on a RHEL 8 Apache server - this works for me.

(Mandatory)

The redirect_uri for this OpenID Connect client; this is a vanity URL

that must ONLY point to a path on your server protected by this module

but it must NOT point to any actual content that needs to be served.

You can use a relative URL like /protected/redirect_uri if you want to

support multiple vhosts that belong to the same security domain in a dynamic way

OIDCRedirectURI /redirect

[Rodlee955i]

It also looks like the config file does not like an IP address in the redirect uri [Fri Sep 08 19:14:42.929255 2023] [auth_openidc:warn] [pid 3698019] [client 10.79.2.126:19949] oidc_proto_peek_jwt_header: could not parse first element separated by "." from input, referer: http://10.73.101.92/test - try putting in a relative OIDCRedirectURI /test/callback failing that try using the host name - use hosts file entries if you dont have DNS resolution of the host name. My /redirect does not contain anything i.e. it is empty. I don't think OpenID uses the full path for the redirect, it simply needs to get back to the host making the request, why it works like this instead of using something that makes sense I don't know.