logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: OIDC fallback authenticaion
Author
ApacheUser1212123



Joined: 22 Feb 2021
Posts: 6

PostPosted: Mon 21 Jun '21 17:48    Post subject: OIDC fallback authenticaion Reply with quote

Hey,

I'm trying to configure my apache httpd to oidc authentication, which works good. But I ran into an issue trying to allow request to pass even if the authentication failed.

I have simple OIDC configuration looking like that:

Code:

<Location /my_routr/>
       AuthType openid-connect
       Require valid-user
       Set some headers
       ProxyPass my_server
</Location>


I'm trying to make httpd try to authenticate using oidc and use the result as headers, but if the oidc authentication failed, to pass the request anyway without the headers.

Is there a way to do that?

Thanks.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 105
Location: UK

PostPosted: Mon 21 Jun '21 21:28    Post subject: Reply with quote

Tricky; authenticated and unauthenticated.

You could try using a <RequireAny> block directive to allow more than one class of user within your location block, viz:

Code:
    <RequireAny>
        Require valid-user
        Require all granted
    </RequireAny>

Then, since the OIDC module should set REMOTE_USER to something for valid users, you might be able to use RequestHeader directives to conditionally set additional headers for them, viz:

Code:
   RequestHeader set SomeHeader SomeValue expr=%{REMOTE_USER}

(Check the RequestHeader syntax here https://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader)

Unfortunately, you can't use <If> block directives to check for %{REMOTE_USER}, since they get evaluated before the authentication modules run.

I've not tried this, so let us know if it works as you want.
Back to top
ApacheUser1212123



Joined: 22 Feb 2021
Posts: 6

PostPosted: Tue 22 Jun '21 9:07    Post subject: Reply with quote

Do you mean it should look like this:

Code:

<LocationMatch "/route">
<RequireAny>
  Require valid-user
  Require all granted
</RequireAny>
RequestHeader set SomeHeader SomeValue expr=%{REMOTE_USER}
ProxyPass ...

</LocationMatch>
?
This didn't work. I keep getting "forbidden 403", it looks like it's still trying to go through OIDC
Back to top
tangent



Joined: 16 Aug 2020
Posts: 105
Location: UK

PostPosted: Tue 22 Jun '21 21:08    Post subject: Reply with quote

Hmm - I would have expected that to work, since <RequireAny> should succeed if any of the enclosed Require directives do.
Is it any different if you reverse the order of the two Require directives (even though that should make no difference)?

Also, does your configuration have any authorization logic for preceeding parts of the site (<Directory> or <Location> entries), in which case the AuthMerging directive might be relevant.
This issue might be down to some AUTHZ vagary of the OIDC module, but maybe juggling the order of parts of your configuration may help.

Sorry, I can't think of anything else over this problem.
Back to top


Reply to topic   Topic: OIDC fallback authenticaion View previous topic :: View next topic
Post new topic   Forum Index -> Apache