Authorization error following the update of version 2.4.4.1 to version 2.4.9.4

[Meheni]

Hi,

When updating our mod_auth_openidc 2.4.4.1 module to 2.4.9.4, we found a regression in one of our connections.

After analyzing logs and release, I found that the problem is caused by the bug correction #497 in version 2.4.5.

In the logs, I have the following information:

[Fri Nov 19 11:26:47.924808 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/mod_auth_openidc.c(4004): [client IP.IP:20623] oidc_authz_checker: enter: require_args="aud:xxxx", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924816 2021] [authz_core:debug] [pid 106:tid 140051036980992] mod_authz_core.c(818): [client IP.IP:20623] AH01626: authorization result of Require claim aud:xxxx: denied (no authenticated user yet), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924823 2021] [authz_core:debug] [pid 106:tid 140051036980992] mod_authz_core.c(818): [client IP.IP:20623] AH01626: authorization result of : denied (no authenticated user yet), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924836 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/mod_auth_openidc.c(3890): [client IP.IP:20623] oidc_check_user_id: incoming request: "/app/redirect_uri.html?info=json&access_token_refresh_interval=60", ap_is_initial_req(r)=1, referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924846 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/oauth.c(207): [client IP.IP:20623] oidc_oauth_get_bearer_token: accept_token_in=0, referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924857 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/oauth.c(298): [client IP.IP:20623] oidc_oauth_get_bearer_token: no bearer token found in the allowed methods: [], referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html

[Fri Nov 19 11:26:47.924857 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/oauth.c(298): [client IP.IP:20623] oidc_oauth_get_bearer_token: no bearer token found in the allowed methods: [], referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924888 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/util.c(2521): [client IP.IP:20623] oidc_util_hdr_in_get: Cookie=visitid=YZd7td@9y5liaSr
4@QjnPgAAEwM; RCJSESSIONID=pWXVDyvxMDNMQLPmCSyHRl9S4ivQV8Y9oOOSIj6Z.cieyy3ec; _pk_id.614.2f6f=cfa3757818d689de.1637317554.; _pk_ses.614.2f6f=1; amlbcookie=01; TCPID=12111511261101004319; ....... ; mod_auth_openidc_session=322d0c44-4923-11ec-a3b7-a77103397563; .............., nbpageVisit=2, referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html

[Fri Nov 19 11:26:47.924912 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/util.c(1226): [client IP.IP:20623] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "322d0c44-4923-11ec-a3b7-a77103397563", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924921 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/cache/common.c(318): [client IP.IP:20623] oidc_cache_get: enter: 322d0c44-4923-11ec-a3b7-a77103397563 (section=s, decrypt=0, type=shm), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.924940 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/cache/common.c(350): [client IP.IP:20623] oidc_cache_get: cache hit: return 1823 bytes from shm cache backend for key 322d0c44-4923-11ec-a3b7-a77103397563, referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925073 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/util.c(1388): [client IP.IP:20623] oidc_util_request_matches_url: comparing "/app/redirect_uri.html"=="/app/redirect_uri.html", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925100 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/mod_auth_openidc.c(4004): [client IP.IP:20623] oidc_authz_checker: enter: require_args="client_id:Android", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925110 2021] [authz_core:debug] [pid 106:tid 140051036980992] mod_authz_core.c(818): [client IP.IP:20623] AH01626: authorization result of Require claim client_id:Android: denied (no authenticated user yet), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925118 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/mod_auth_openidc.c(4004): [client IP.IP:20623] oidc_authz_checker: enter: require_args="client_id:iPhone", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925126 2021] [authz_core:debug] [pid 106:tid 140051036980992] mod_authz_core.c(818): [client IP.IP:20623] AH01626: authorization result of Require claim client_id:iPhone: denied (no authenticated user yet), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925135 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/mod_auth_openidc.c(4004): [client IP.IP:20623] oidc_authz_checker: enter: require_args="aud:xxxx", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925142 2021] [authz_core:debug] [pid 106:tid 140051036980992] mod_authz_core.c(818): [client IP.IP:20623] AH01626: authorization result of Require claim aud:xxxx: denied (no authenticated user yet), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925150 2021] [authz_core:debug] [pid 106:tid 140051036980992] mod_authz_core.c(818): [client IP.IP:20623] AH01626: authorization result of : denied (no authenticated user yet), referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html
[Fri Nov 19 11:26:47.925157 2021] [authz_core:error] [pid 106:tid 140051036980992] [client IP.IP:20623] AH01629: authorization failure (no authenticated user): /fr/accueil/espace-client/moduleopenidc.html, referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html

I noticed that the error occurs that:
1 - When the Matche redirection URI:

[Fri Nov 19 11:26:47.925073 2021] [auth_openidc:debug] [pid 106:tid 140051036980992] src/util.c(1388): [client IP.IP:20623] oidc_util_request_matches_url: comparing "/app/redirect_uri.html"=="/app/redirect_uri.html", referer: https://myApp/app/creation?context=creationEC&goto=https%3A%2F%2FmyApp%2app%2index.html

2 - When in the configuration there is "Require claim aud:XXXX". but If I use "Require Valid-User" so I have no error.

Here is my module configuration:

OIDCOAuthClientID xxxx
OIDCOAuthClientSecret **********

OIDCClientID xxxx
OIDCClientSecret **********

OIDCResponseType "code"
OIDCResponseMode form_post

OIDCStateMaxNumberOfCookies 7 true

OIDCRedirectURI https://myApp/app/redirect_uri.html
OIDCCryptoPassphrase *************


<LocationMatch "/app/">
   Authtype auth-openidc
   Require claim client_id:Android
   Require claim client_id:iPhone
   Require claim aud:xxxx
</LocationMatch>


OIDCUserInfoTokenMethod authz_header
OIDCPassClaimsAs headers
OIDCClaimPrefix HTTP_OIDC_
OIDCPassIDTokenAs claims
OIDCPassRefreshToken Off

OIDCSSLValidateServer On
OIDCInfoHook access_token access_token_expires id_token

It looks like what is written here: https://github.com/zmartzone/modiki_openidc/wiki/single-page-applications#session-info-authorization but I can not find a solution.
If you can help me please?

Best regards,
Meheni

[zandbelt]

are you sure about the version you're using? because your issue was supposed to be fixed in 2.4.9.3 48ad854

[zandbelt]

would you be able to test a fix from source?

[Meheni]

Hi,

Yes it's possible.

[zandbelt]

please try https://github.com/zmartzone/mod_auth_openidc/tree/redirect-uri-authz-fix

[Meheni]

thanks i will try today.

[Meheni]

Hi,

The fix works very well. We will continue to test it a bit more

thank-you for your prompt response.

Best regards,
Meheni