Require claim statement failing even though claim is present

[hkennyv]

Hi there,

I'm having an issue where we have a "Require claim group:" statement that is failing and returning 401 even though we can pretty clearly see that the is present in the debug logs. I feel like we are missing something very simple that would explain this.

If we comment out the "Require claim group:" statement, we can successfully load the page.

See the relevant apache config below:

<Location "/cgi-bin/admin/">
  AuthType openid-connect
  LogLevel debug
  Require claim group:admin
</Location>

And the log lines that include the admin group (logs redacted a bit):

[Tue Jul 16 20:21:26.705818 2024] [auth_openidc:debug] [pid 72838:tid 140523822089984] src/util.c(1183): [client 10.192.11.152:26854] oidc_util_set_app_info: setting header "OIDC_CLAIM_group: admin,group1,group2", referer: https://<my-idp>/
[Tue Jul 16 20:21:26.705824 2024] [auth_openidc:debug] [pid 72838:tid 140523822089984] src/util.c(1193): [client 10.192.11.152:26854] oidc_util_set_app_info: setting environment variable "OIDC_CLAIM_group: admin,group1,group2", referer: https://<my-idp>/
...
[Tue Jul 16 20:21:26.705980 2024] [auth_openidc:debug] [pid 72838:tid 140523822089984] src/authz.c(336): [client 10.192.11.152:26854] oidc_authz_worker24: evaluating claim specification: group:admin, referer: https://<my-idp>/
[Tue Jul 16 20:21:26.705983 2024] [auth_openidc:debug] [pid 72838:tid 140523822089984] src/authz.c(200): [client 10.192.11.152:26854] oidc_authz_match_claim: evaluating key "sub", referer: https://<my-idp>/
[Tue Jul 16 20:21:26.705994 2024] [authz_core:debug] [pid 72838:tid 140523822089984] mod_authz_core.c(809): [client 10.192.11.152:26854] AH01626: authorization result of Require claim group:admin: denied, referer: https://<my-idp>/
[Tue Jul 16 20:21:26.705997 2024] [authz_core:debug] [pid 72838:tid 140523822089984] mod_authz_core.c(809): [client 10.192.11.152:26854] AH01626: authorization result of <RequireAny>: denied, referer: https://<my-idp>/
[Tue Jul 16 20:21:26.706000 2024] [authz_core:error] [pid 72838:tid 140523822089984] [client 10.192.11.152:26854] AH01631: user <sub>@<issuer>: authorization failure for "/cgi-bin/admin/admin": , referer: https://<my-idp>/

I've also tried modifying the Require claim statement to try to match a different claim that we can see is being set in the debug logs, but I get the same 401.

<Location "/cgi-bin/admin/">
  AuthType openid-connect
  LogLevel debug
  Require claim BADGE_COLOR_CODE:F
</Location>

[Tue Jul 16 20:21:26.705831 2024] [auth_openidc:debug] [pid 72838:tid 140523822089984] src/util.c(1183): [client 10.192.11.152:26854] oidc_util_set_app_info: setting header "OIDC_CLAIM_BADGE_COLOR_CODE: F", referer: https://<my-idp>/
[Tue Jul 16 20:21:26.705834 2024] [auth_openidc:debug] [pid 72838:tid 140523822089984] src/util.c(1193): [client 10.192.11.152:26854] oidc_util_set_app_info: setting environment variable "OIDC_CLAIM_BADGE_COLOR_CODE: F", referer: https://<my-idp>/

Are there any other configuration attributes that could help us troubleshoot this issue? Thanks!

[zandbelt]

which version of mod_auth_openidc are you on?

[hkennyv]

Hi zandbelt@, thanks for the quick response. Using strings /usr/lib/apache2/modules/mod_auth_openidc.so | grep mod_auth_openidc, it looks like we have

mod_auth_openidc-1.8.5

[hkennyv]

Also, upon some more investigation, I can see with a different setup, it looks like we should expect to see this evaluating key log line for each of the claims, something like this:

7321561:[Tue Jul 16 00:12:15.688324 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "aud"
7321562:[Tue Jul 16 00:12:15.688326 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "family_name"
7321563:[Tue Jul 16 00:12:15.688328 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "iss"
7321564:[Tue Jul 16 00:12:15.688330 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "iat"
7321565:[Tue Jul 16 00:12:15.688332 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "nbf"
7321566:[Tue Jul 16 00:12:15.688334 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "exp"
7321567:[Tue Jul 16 00:12:15.688336 2024] [auth_openidc:debug] [pid 2890895:tid 140671000221440] src/authz.c(200): [client 10.192.10.108:20478] oidc_authz_match_claim: evaluating key "group"

but in the instance described in the OP, it looks like it is only evaluating "sub" for some reason even though it seems to be successfully setting the headers/env variables for all of the claims (not just sub)

[zandbelt]

well 1.8.5 is almost 9 years old..., the problem could be anything; I suggest upgrading to the latest 2.4.15.7

most likely you're running into #120

[hkennyv]

thanks hans, you are correct, it looks like the issue was #120. due to some legacy issues (separate problem), the most recent version available from the system package manager was 1.8.5. we have upgraded to 1.8.10 and can confirm by grepping the debug logs that all of the id_token claim keys are being evaluated

we will have to revisit the major version upgrade to 2.4.x

i'll mark this discussion as closed, thank you for the support, it is much appreciated!