Unable to set access_token in the headers

[mgazanayi]

Hi,

I have an application which has two parts: a public one mapped on / and a private one mapped on /cms
I have a really strange behaviour because the Authorization Bearer is never set to the RequestHeader, and when I allow the calls to /api/cms/** in the backend side, everything is going well (just to prove that the proxying is working).
This is not our first project using mod_auth_openidc (BTW, thanks a lot for this awesome project), it's our 6th, and everything is always working very well.
The redirect to the IDP and the authorization flow is working, except this thing to have the access_token set in the Headers.

The redirect uri is set to /cms/auth/oidc, maybe userinfo is not redirected to this?

Here is the specific part of this project:

<Directory $DOCROOT>
  Satisfy Any
</Directory>
<Location />
  Satisfy Any
</Location>

<Location /cms>
  Order Deny,Allow
  AuthType  auth-openidc
  Require   valid-user
</Location>

RewriteEngine On
RewriteRule ^/health-check - [R=200,L]

SetEnvIf Authorization ^Bearer.* hasBearer

# Expires=0 when accessing html resources
ExpiresActive On
ExpiresByType "text/html" "now"

<LocationMatch "^/(?!ruxit|rb_)(.*)$">
  FallbackResource /index.html
</LocationMatch>

LimitRequestFieldSize 65536
RequestReadTimeout body=20,MinRate=30720
ErrorDocument 401 /errors/401.html
<Location /errors/>
  Allow From All
  Satisfy Any
</Location>
<Directory /errors/>
  Allow From All
  Satisfy Any
</Directory>

<Location /api/cms>
  <RequireAny>
    Require   valid-user
    Require   env hasBearer
  </RequireAny>
</Location>

<IfModule proxy_http_module>
    ProxyPass        "/api/public" "http://egm-api:8080/api/public"
    ProxyPassReverse "/api/public" "http://egm-api:8080/api/public"
    <Location /api/public>
      RequestHeader setifempty X-Request-Id %{UNIQUE_ID}e
      RequestHeader add X-SIA ${SIA}
      RequestHeader add X-IRN ${IRN}
      ProxyPreserveHost On
    </Location>
</IfModule>

<IfModule proxy_http_module>
    ProxyPass        "/api/cms" "http://egm-api:8080/api/cms"
    ProxyPassReverse "/api/cms" "http://egm-api:8080/api/cms"
    <Location /api/cms>
      RequestHeader setifempty X-Request-Id %{UNIQUE_ID}e
      RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=!hasBearer
      RequestHeader set id_token      "%{OIDC_id_token}e"            env=!hasBearer
      RequestHeader add X-SIA ${SIA}
      RequestHeader add X-IRN ${IRN}
      ProxyPreserveHost On
    </Location>
</IfModule>

# Prevent redirection to IDP and then stacking state cookies when accessing static resources.
<LocationMatch "\.(woff|woff2|js|css|svg|map|ico|jpe?g|png|gif)$">
 OIDCUnAuthAction 401
</LocationMatch>

<LocationMatch "manifest.json$">
  OIDCUnAuthAction 401
</LocationMatch>

Any idea please?

Thanks in advance.

[zandbelt]

What if you just use:

RequestHeader set Authorization "Bearer %{OIDC_access_token}e" 

[mgazanayi]

Hi @zandbelt, thanks for your quick answer.
Unfortunately, I tried this and nothing, the header is always null.
One question, since in all the other projects we call the profile.json url, is it mandatory to do it also here to have the access_token set or no link between?

[zandbelt]

then check the server debug logs to verify that an access_token is actually received and set in the environment

[mgazanayi]

Hi @zandbelt
I can see it:

egm-app    | { "eventTime":"2021-10-11 17:52:09.217590", "resourceAction":"auth_openidc", "requestTime":139681695647488, "message":"[auth_openidc:debug] oidc_util_set_app_info: setting environment variable "OIDC_id_token: eyJraWQiOiIxNzY3IiwidHlwIjoiSldUIiwiYWxnIj....""}
egm-app    | { "eventTime":"2021-10-11 17:52:09.217615", "resourceAction":"auth_openidc", "requestTime":139681695647488, "message":"[auth_openidc:debug] oidc_util_set_app_info: setting environment variable "OIDC_access_token: eyJraWQiOiIxNzY3IiwidHlwIjoiSldUIiwiY....""}
egm-app    | { "eventTime":"2021-10-11 17:52:09.217633", "resourceAction":"auth_openidc", "requestTime":139681695647488, "message":"[auth_openidc:debug] oidc_util_set_app_info: setting environment variable "OIDC_access_token_expires: 1633976528""}

[mgazanayi]

Any idea on what can be wrong with setting this env variable please?
I looked everywhere, everything seems normal and even the debug mode showed the action of setting the environment variable:

oidc_util_set_app_info: setting environment variable "OIDC_access_token:

[zandbelt]

no, I have no clue; perhaps some security setting avoids passing that header?

[mgazanayi]

Is there anything to have with the Deny, Allow on the beginning of the config?

[zandbelt]

no, I don't think so; however since the environment variable is set by the module, it is an Apache config issue that does not necessarily belong here

[mgazanayi]

Thanks a lot. I'll dig again. Have an excellent evening.

[mgazanayi]

Hi @zandbelt
I did a simple test.
Instead of having / as public and /cms as private, I made the / protected directly. And everything is working.
Is it supported with mod_auth_openidc to have some public and secured parts? Or is it all or nothing?
Thanks

[zandbelt]

you can exclude parts by using AuthType none on them

[mgazanayi]

Thanks for your response @zandbelt
This is the only difference between the test that works (securing the whole app) and the one which secures only the /cms part, which unfortunately doesn't work.
I don't know if you already tried something similar?

[zandbelt]

yes, that works; the issue must be something in your Apache config, most likely in the order of statements