How to access webpage protected by auth_openidc with curl ?

[Tistou-ESGI]

Hi,

I've configured apache2 mod_auth_openidc on my webserver with keycloak.

I can obtain a token with curl to keycloak, but when i try to access to my protected webpage with this token i get an html page with js code saying "Submitting.."
this code seems to be from the mod

Here is the error log of apache:

[Fri Aug 16 12:33:30.461895 2024] [authz_core:debug] [pid 947601:tid 947601] mod_authz_core.c(815): [client :41306] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Aug 16 12:33:30.461920 2024] [authz_core:debug] [pid 947601:tid 947601] mod_authz_core.c(815): [client 41306] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Aug 16 12:33:30.461936 2024] [auth_openidc:debug] [pid 947601:tid 947601] src/mod_auth_openidc.c(3942): [client :41306] oidc_check_user_id: incoming request: "/app/index.html?(null)", ap_is_initial_req(r)=1
[Fri Aug 16 12:33:30.461950 2024] [auth_openidc:debug] [pid 947601:tid 947601] src/util.c(1243): [client :41306] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Fri Aug 16 12:33:30.461955 2024] [auth_openidc:debug] [pid 947601:tid 947601] src/util.c(1405): [client :41306] oidc_util_request_matches_url: comparing "/app/index.html"=="/app/index.html"
[Fri Aug 16 12:33:30.461963 2024] [auth_openidc:debug] [pid 947601:tid 947601] src/proto.c(2487): [client :41306] oidc_proto_javascript_implicit: enter
[Fri Aug 16 12:33:30.461981 2024] [authz_core:debug] [pid 947601:tid 947601] mod_authz_core.c(815): [client :41306] AH01626: authorization result of Require valid-user : granted
[Fri Aug 16 12:33:30.461986 2024] [authz_core:debug] [pid 947601:tid 947601] mod_authz_core.c(815): [client 41306] AH01626: authorization result of <RequireAny>: granted
[Fri Aug 16 12:33:30.461998 2024] [auth_openidc:debug] [pid 947601:tid 947601] src/util.c(1405): [client :41306] oidc_util_request_matches_url: comparing "/app/index.html"=="/app/index.html"

Here is my apache config:

root@apache-synveillance:~# cat /etc/apache2/sites-available/oidcprotected.conf 
<VirtualHost *:80>
    ServerName oidcprotected.example.lab
    RedirectPermanent / https://oidcprotected.example.lab/
</VirtualHost>
<VirtualHost *:443>
    ServerName oidcprotected.example.lab
    DocumentRoot /var/www/oidc/
    SSLEngine On
    SSLCertificateFile /root/pki/ww.crt
    SSLCertificateKeyFile /root/pki/ww.key
    CustomLog /var/log/apache2/oidcserver.example.lab.access.log combined
    ErrorLog /var/log/apache2/oidcerver.example.lab.error.log
    OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
    OIDCProviderMetadataURL http://keycloak.example.lab:8080/realms/master/.well-known/openid-configuration
    OIDCClientID example
    OIDCClientSecret XuB9EsQXo0oweYHdhrlIisDPV
    OIDCRedirectURI https://oidcprotected.example.lab/app/index.html
    OIDCSSLValidateServer On
    <Location /app>
       AuthType openid-connect
       Require valid-user
       LogLevel debug
    </Location>
</VirtualHost>

Here is the curl command i used:

response=$(curl -L -b ./cookie.jar -c ./cookie.jar -d 'client_id=example' -d 'client_secret=XuB9EsQewG3SYHdhrlIisDPV' -d 'username=admin' -d 'password=admin' -d 'grant_type=password' 'http://keycloak.example.lab:8080/realms/master/protocol/openid-connect/token')

access_token=`echo $response|jq '.access_token'|cut -d\" -f2`

curl -H "Authorization: Bearer \"$access_token\""  -b ./cookie.jar -c ./cookie.jar --insecure -L -X GET https://oidcprotected.example.lab/app/index.html 

Thanks

[cureton]

I could be completely misguided but I think the access token you got from azure is to allow you to query back to the MS graph api and not the api of your application.

I suspect the token will not validate in jwt.io.

I think you would need to run the authentication against your application and use the session Cookie it provided to access your application api.

[Zeusfucserenity]

Hi