Receiving infinite loop authenticate request

[karthickiamsso]

I am trying to protect the pdf files which are stored in webserver using mod_auth_oidc and Okta.
After authentication successful receiving authentication request again in infinite loop.
Apache 2.4.43
mod_auth_oidc-2.4.1
Okta is an OP
Not sure what configuration mistake made in this. Any suggestions would be appreciated.

In error log could see the below.

Wed Sep 15 09:53:18.915314 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/cache/common.c(613): [client 10.78.164.187:28423] oidc_cache_get: cache hit: return 3290 bytes from shm cache backend for key 4790d946-162c-11ec-bc48-5363f801da26
[Wed Sep 15 09:53:18.915432 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/util.c(1217): [client 10.78.164.187:28423] oidc_util_request_matches_url: comparing "/restricted/"=="/restricted/"
[Wed Sep 15 09:53:18.915448 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/mod_auth_openidc.c(2170): [client 10.78.164.187:28423] oidc_handle_post_authorization_response: enter
[Wed Sep 15 09:53:18.915455 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/util.c(2309): [client 10.78.164.187:28423] oidc_util_hdr_in_get: Content-Type=application/x-www-form-urlencoded
[Wed Sep 15 09:53:18.915577 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/util.c(1529): [client 10.78.164.187:28423] oidc_util_read_form_encoded_params: read: state=BhNmvF-xvqLdEXd45WQ3MrzxFlg
[Wed Sep 15 09:53:18.915602 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/util.c(1529): [client 10.78.164.187:28423] oidc_util_read_form_encoded_params: read: code=aBRdioFy4yWUx8r8lV6f4fzXnFcRJU5GDvPOMsT3ic4
[Wed Sep 15 09:53:18.915608 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/util.c(1534): [client 10.78.164.187:28423] oidc_util_read_form_encoded_params: parsed: 82 bytes into 2 elements
[Wed Sep 15 09:53:18.915627 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/mod_auth_openidc.c(2036): [client 10.78.164.187:28423] oidc_handle_authorization_response: enter, response_mode=form_post
[Wed Sep 15 09:53:18.915648 2021] [auth_openidc:warn] [pid 31343:tid 140211723941632] [client 10.78.164.187:28423] oidc_handle_browser_back: browser back detected, redirecting to original URL: https://www.abc.com:443/restricted/file/docs/xyz-.pdf
[Wed Sep 15 09:53:18.915655 2021] [auth_openidc:debug] [pid 31343:tid 140211723941632] src/util.c(2365): [client 10.78.164.187:28423] oidc_util_hdr_table_set: Location:https://www.abc.com:443/restricted/file/docs/xyz-.pdf
[Wed Sep 15 09:53:20.082048 2021] [auth_openidc:debug] [pid 31341:tid 140211623229184] src/mod_auth_openidc.c(3918): [client 10.78.164.187:49282] oidc_check_user_id: incoming request: "/restricted/?(null)", ap_is_initial_req(r)=1

#############START###########
LogLevel auth_openidc:debug
OIDCSSLValidateServer Off
OIDCOutgoingProxy http://XXX.com:8080
OIDCProviderMetadataURL https://xyz.com/oauth2/default/.well-known/openid-configuration
OIDCClientID **********************
OIDCClientSecret *********************
OIDCRedirectURI https://abc.com/restricted/
RequestHeader set X-Forwarded-Port 443 early
OIDCCryptoPassphrase example@3003
OIDCScope "openid email profile"
OIDCResponseType "code"
OIDCResponseMode "form_post"
OIDCRemoteUserClaim preferred_username
OIDCAuthNHeader REMOTE_USER
OIDCStateTimeout 600
OIDCStateMaxNumberOfCookies 20
<Location /restricted/>
AuthType openid-connect
Require valid-user

END

[zandbelt]

A quick workaround would most probably be to not use form_post response mode

[karthickiamsso]

Should I need to comment or remove whole line in mod_auth_conf file?
Or need to mention other response type like query or fragment?

OIDCResponseMode "form_post"

Please advise.

[zandbelt]

remove it

[karthickiamsso]

I don't receive infinite authentication request now but unfortunately receives 500 error.
code is not exchanged and could retrieve access token now.

We have naother web instance it works like champ. We do not see any difference between those two config files.
Did not get any specific logs related to this 500 error at apache server end. Any suggestion on this 500 error?

[zandbelt]

Check the server debug log

[karthickiamsso]

@zandbelt : Apologise for late reply.Got stuck in another priority work, so couldn’t reply.

I could see the below error logs in the debug logs.
Any suggestion on this?

Tried checking related to this error, but looks like this is specific to browser related . In my case receiving same error in all browsers.

Facing an error with status code 500.
Thu Sep 23 09:35:50.293470 2021] [auth_openidc:debug] [pid 7285:tid 140495141426944] src/mod_auth_openidc.c(232): [client 10.78.164.187:46240] oidc_get_browser_state_hash: enter
[Thu Sep 23 09:35:50.293481 2021] [auth_openidc:debug] [pid 7285:tid 140495141426944] src/util.c(2309): [client 10.78.164.187:46240] oidc_util_hdr_in_get: X-Forwarded-For=23.220.96.55
[Thu Sep 23 09:35:50.293486 2021] [auth_openidc:debug] [pid 7285:tid 140495141426944] src/util.c(2309): [client 10.78.164.187:46240] oidc_util_hdr_in_get: User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
[Thu Sep 23 09:35:50.293501 2021] [auth_openidc:error] [pid 7285:tid 140495141426944] [client 10.78.164.187:46240] oidc_restore_proto_state: calculated state from cookie does not match state parameter passed back in URL: "BoovPk71LZwSs_7Q-tzsWP6cH4E" != "_k8Lfra9Dl90oayI4z5WnZd4PHU"
[Thu Sep 23 09:35:50.293515 2021] [auth_openidc:error] [pid 7285:tid 140495141426944] [client 10.78.164.187:46240] oidc_authorization_response_match_state: unable to restore state
[Thu Sep 23 09:35:50.293520 2021] [auth_openidc:error] [pid 7285:tid 140495141426944] [client 10.78.164.187:46240] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...

[zandbelt]

looks like you need to upgrade to the latest version and set OIDCStateInputHeaders user-agent

[karthickiamsso]

Thanks for your prompt response.
We have another instance running on same web server and using the same mod_auth_plugin. That instance works fine.
Based on your suggestion, let me set OIDCStateInpuutHeaders try it.
Will upgrade to latest version as well.

Keep you posted.