Forbidden 403 for OIDC exempt PHP scripts

[rich-page-vtm]

Hi,

I have a server using mod_auth_openidc for a particular web application, but some portions of that app need to be exempt from OIDC authentication.

I've had some success with OIDC exempt locations using the "AuthType None" directive, but I'm having trouble with some php scripts where the "AuthType None" directive doesn't seem to work. I'm getting "Forbidden 403" errors.

Here's my config:

 <IfModule auth_openidc_module>
    OIDCProviderMetadataURL https://auth.company.com/.well-known/openid-configuration
    OIDCProviderAuthorizationEndpoint https://auth.company.com/authorize?organization=org_rHoWwjMfS7CtwNSQ
    OIDCClientID <client_id>
    OIDCClientSecret <client_id_secret>
    OIDCCryptoPassphrase <crypto_pass_phrase>
    OIDCRedirectURI https://app.company.com/tenant/.openidc/redirect_uri
    OIDCRemoteUserClaim http://company.username
    OIDCScope "openid profile email"
    OIDCStateMaxNumberOfCookies 7 true
    OIDCCacheType file
    OIDCCacheDir /path/to/tenant/apache2/var/oidc_sessions
    OIDCCacheFileCleanInterval 30
    OIDCCookieDomain company.com
    OIDCRedirectURLsAllowed https://app.company.com/tenant/app/logout.html

    <Location /tenant/.openidc/>
      AuthType openid-connect
      Require valid-user
      Options followSymLinks
      AllowOverride none
    </Location>

    <Location /tenant/.openidc/redirect_uri?logout*>
      Options followSymLinks
      AllowOverride none
    </Location>

    <Location />
      Options followSymLinks
      AllowOverride none
      RewriteEngine on
      RequestHeader set X-USERTOKEN expr=%{REMOTE_USER}
      AuthType openid-connect
      Require valid-user
    </Location>

  </IfModule>

# OIDC exempt /tmp/ location:
   <Location /tmp/>
      Options followSymLinks
      AllowOverride none
      Require all granted
      AuthType none
    </Location>

# App location that is OIDC exempt:
   <Location /app/>
      Options followSymLinks
      AllowOverride none
      Require all granted
      AuthType none
    </Location>

 <Location /app/php_scripts/script.php>
      Options followSymLinks execCGI
      AllowOverride none
      Require all granted
      AuthType none
    </Location>

Alias /app "/path/to/web_browser"
  <Directory /path/to/web_browser>
    <LimitExcept GET POST>
      Require all denied
    </LimitExcept>
    SetHandler none

    Options +includes
    XBitHack on
    AllowOverride none

    <IfModule fcgid_module>
      <FilesMatch "[^.]+\.php$">
        AuthType none
        Require all granted
        SetHandler fcgid-script
        FcgidWrapper /path/to/cgi-bin/app_php.fcgi .php
        Options +execCGI
      </FilesMatch>
    </IfModule>

    Require all granted
  </Directory>

If I try to run the app/php_scripts/script.php I get a 403 Forbidden.

Now, we have a FilesMatch clause there that is used when a .php is used, which runs the php through the app_php.fcgi wrapper. You can see that I tried to add the "AuthType none" directive to the FilesMatch section, but that doesn't seem to work.

Any ideas as to what I might have to do to make the PHP script run (without OIDC authentication)?

Note: if I use this config without mod_auth_openidc, the php runs.

Thanks for your help!

[rich-page-vtm]

I have been able to get further on this issue, but I still believe there may be an issue.

I found that if I remove the section under the /app /path/to/web_browser Directory definition with the FilesMatch section:

    <IfModule fcgid_module>
      <FilesMatch "[^.]+\.php$">
        AuthType none
        Require all granted
        SetHandler fcgid-script
        FcgidWrapper /path/to/cgi-bin/app_php.fcgi .php
        Options +execCGI
      </FilesMatch>
    </IfModule>

and move it to its own Location directive without a FilesMatch:

  <IfModule fcgid_module>
     <Location />
       AddHandler fcgid-script .php
       FcgidWrapper /path/to/cgi-bin/app_php.fcgi .php
       Options +execCGI
     </Location>
   </IfModule>

The OIDC exemption for php under /app/ are allowed as we expect.

I'm wondering now if there's an issue with OIDC exemption when a FilesMatch directive is used?

Running mod_auth_openidc 2.4.11.2.

[zandbelt]

it's an Apache Directory vs Location thing, see https://httpd.apache.org/docs/2.4/sections.html#merging