Internal Server Error after authenticating

[JonEasy]

Hi,
I am relatively new to authentication in apache and trying to start my journey by adding a simple configuration to a mere index.html page. However, I am facing an issue while trying to parse the JWT token.

The current error that I get from the browser is
The server encountered an internal error or misconfiguration and was unable to complete your request

While looking at the error logs I get

[Fri Jan 12 12:36:37.390212 2024] [authz_core:debug] [pid 12788:tid 140700226148096] mod_authz_core.c(817): [client ::1:52856] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390244 2024] [authz_core:debug] [pid 12788:tid 140700226148096] mod_authz_core.c(817): [client ::1:52856] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390250 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/mod_auth_openidc.c(3917): [client ::1:52856] oidc_check_user_id: incoming request: "/auth/callback?code=JuOGdWmccXNK69cv48OquJ7YXWj15_PvDRZRqsoW&state=k9J4DJC6qAF3EmKO-ZMvtyiCIr0", ap_is_initial_req(r)=1, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390257 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1054): [client ::1:52856] oidc_util_get_cookie: returning "mod_auth_openidc_session_chunks" = <null>, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390260 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1054): [client ::1:52856] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390263 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1217): [client ::1:52856] oidc_util_request_matches_url: comparing "/auth/callback"=="/auth/callback", referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390267 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/mod_auth_openidc.c(2209): [client ::1:52856] oidc_handle_redirect_authorization_response: enter, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390298 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1529): [client ::1:52856] oidc_util_read_form_encoded_params: read: code=JuOGdWmccXNK69cv48OquJ7YXWj15_PvDRZRqsoW, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390305 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1529): [client ::1:52856] oidc_util_read_form_encoded_params: read: state=k9J4DJC6qAF3EmKO-ZMvtyiCIr0, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390309 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1533): [client ::1:52856] oidc_util_read_form_encoded_params: parsed: 79 bytes into 2 elements, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390311 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/mod_auth_openidc.c(2036): [client ::1:52856] oidc_handle_authorization_response: enter, response_mode=query, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390314 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/mod_auth_openidc.c(1667): [client ::1:52856] oidc_authorization_response_match_state: enter (state=k9J4DJC6qAF3EmKO-ZMvtyiCIr0), referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390317 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/mod_auth_openidc.c(805): [client ::1:52856] oidc_restore_proto_state: enter, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390320 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(1054): [client ::1:52856] oidc_util_get_cookie: returning "mod_auth_openidc_state_k9J4DJC6qAF3EmKO-ZMvtyiCIr0" = <null>, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390323 2024] [auth_openidc:error] [pid 12788:tid 140700226148096] [client ::1:52856] oidc_restore_proto_state: no "mod_auth_openidc_state_k9J4DJC6qAF3EmKO-ZMvtyiCIr0" state cookie found, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390326 2024] [auth_openidc:warn] [pid 12788:tid 140700226148096] [client ::1:52856] oidc_proto_peek_jwt_header: could not parse first element separated by "." from input, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390328 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/mod_auth_openidc.c(537): [client ::1:52856] oidc_unsolicited_proto_state: enter: state header=(null), referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390343 2024] [auth_openidc:debug] [pid 12788:tid 140700226148096] src/util.c(2098): [client ::1:52856] oidc_util_create_symmetric_key: key_len=32, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390360 2024] [auth_openidc:error] [pid 12788:tid 140700226148096] [client ::1:52856] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:754: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781], referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390363 2024] [auth_openidc:error] [pid 12788:tid 140700226148096] [client ::1:52856] oidc_authorization_response_match_state: unable to restore state, referer: https://myauthenticator.com/
[Fri Jan 12 12:36:37.390366 2024] [auth_openidc:error] [pid 12788:tid 140700226148096] [client ::1:52856] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: https://myauthenticator.com/

My configuration file is in triple quotes below :
"""
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so

OIDCProviderMetadataURL https://welll-known/openid-configuration
OIDCRedirectURI http://localhost/auth/callback
OIDCScope "openid profile"
OIDCClientID CLIENT_ID
OIDCClientSecret secret
OIDCCryptoPassphrase "tA!2bC&4dEfGhI6jKlMnOpQrStUvXwZy"
OIDCProviderTokenEndpointAuth client_secret_post
OIDCSessionType client-cookie
OIDCCookiePath /
OIDCStateTimeout 300

AuthType openid-connect Require valid-user LogLevel debug """

I am running ubuntu server, but I would like that the solution applies for Centos7 too if possible.

[zandbelt]

looks like a cookie/domain mismatch; being on plain http may be an issue and you probably also want to upgrade to a recent release

[JonEasy]

I did manage to access the page and added few more settings in my configuration. I want to retrieve the token and create a new header :

<Location />

        AuthType openid-connect
        Require valid-user
        LogLevel debug
        RequestHeader set Authorization "Bearer %{OIDC_access_token}e"
        SetEnv USERID
        RequestHeader set MYCLAIM "test"
        Require claim
        OIDCPassClaimsAs both
        OIDCAuthNHeader MYHEADER
</Location>

When looking at the logs I see

[Thu Jan 18 11:51:21.838475 2024] [auth_openidc:debug] [pid 12308:tid 140081297819200] src/util.c(2833): [client 127.0.0.1:54101] oidc_util_hdr_table_set: OIDC_access_token: 0003UcoHHZPyU5Ve6bDlaudFEcux, referer: https://authenticator.com/
[Thu Jan 18 11:51:21.838489 2024] [auth_openidc:debug] [pid 12308:tid 140081297819200] src/util.c(2305): [client 127.0.0.1:54101] oidc_util_set_app_info: setting environment variable "OIDC_access_token: 0003UcoHHZPyU5Ve6bDlaudFEcux", referer: https://authenticator.com/
[Thu Jan 18 11:51:21.838504 2024] [auth_openidc:debug] [pid 12308:tid 140081297819200] src/util.c(2833): [client 127.0.0.1:54101] oidc_util_hdr_table_set: OIDC_access_token_expires: 1705582280, referer: https://authenticator.com/
[Thu Jan 18 11:51:21.838517 2024] [auth_openidc:debug] [pid 12308:tid 140081297819200] src/util.c(2305): [client 127.0.0.1:54101] oidc_util_set_app_info: setting environment variable "OIDC_access_token_expires: 1705582280", referer: https://authenticator.com/

Howver I do not see any new header set in my requests nor I can access the access_token from environmental variables. Why is "RequestHeader set Authorization "Bearer %{OIDC_access_token}e"" not working ?

[zandbelt]

where/how do you inspect the request headers to come to that conclusion?

[JonEasy]

I am inspecting the network tab from chrome and check the request headers after I am redirected to localhost once authenticated. I only see the header>
"Cookie: mod_uath_openid_sessoin=-----"

[zandbelt]

the request headers as set by mod_auth_openidc and mod_headers (RequestHeader) are only propagated to the protected content, they don't reach the browser

[JonEasy]

Not sure if I understand. How should I check it then ? This is what I see

I am serving a simple page from /www/var/html/index.html.