Comments (23)
that looks like a memory corruption indeed, can you confirm you're using the latest version of module+library and are you able to produce a coredump+stacktrace?
from mod_oauth2.
I admit that the version is a few months old. Probably Jan/Feb vintage. Do you know offhand how to produce those coredump/stacktarce? I can try to figure it out. I'm running this in a docker image.
from mod_oauth2.
ok, just send me the Dockerfile and I'll figure it out
from mod_oauth2.
I'm going to try to update the versions of your libraries and Apache. but here is the dockerfile I'm running with.
FROM httpd:2.4
# Change this from a copy, to me having the deb files for both
RUN mkdir -p /tmp
COPY libhiredis0.13_0.13.3-2.2_amd64.deb /tmp/libhiredis0.13_0.13.3-2.2_amd64.deb
COPY libcjose0_0.6.1.5-1_bionic+1_amd64.deb /tmp/libcjose0_0.6.1.5-1_bionic+1_amd64.deb
COPY liboauth2_1.4.0.1-1.bionic+1_amd64.deb /tmp/liboauth2_1.4.0.1-1.bionic+1_amd64.deb
COPY liboauth2-apache_1.4.0.1-1.bionic+1_amd64.deb /tmp/liboauth2-apache_1.4.0.1-1.bionic+1_amd64.deb
COPY libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb /tmp/libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb
COPY libapache2-mod-auth-openidc_2.4.5-1.bionic+1_amd64.deb /tmp/libapache2-mod-auth-openidc_2.4.5-1.bionic+1_amd64.deb
RUN apt-get update && \
# apt-get install -y ca-certificates libssl-dev check libjansson-dev libz-dev apache2 libmemcached-dev
apt-get install -y ca-certificates apache2 libmemcached-dev
# Install the packages we just copied in
run dpkg -i /tmp/libhiredis0.13_0.13.3-2.2_amd64.deb
run dpkg -i /tmp/libcjose0_0.6.1.5-1_bionic+1_amd64.deb
run dpkg -i /tmp/liboauth2_1.4.0.1-1.bionic+1_amd64.deb
run dpkg -i /tmp/liboauth2-apache_1.4.0.1-1.bionic+1_amd64.deb
run dpkg -i /tmp/libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb
run dpkg -i /tmp/libapache2-mod-auth-openidc_2.4.5-1.bionic+1_amd64.deb
# Modify the httpd.conf to load modules we use, and tell it to use our custom.conf
RUN echo "LoadModule proxy_module modules/mod_proxy.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule proxy_http_module modules/mod_proxy_http.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule ssl_module modules/mod_ssl.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule oauth2_module /usr/lib/apache2/modules/mod_oauth2.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so" >> /usr/local/apache2/conf/httpd.conf
RUN mkdir /usr/local/apache2/conf-available
RUN touch /usr/local/apache2/conf-available/custom.conf
RUN echo "Include conf-available/custom.conf" >> /usr/local/apache2/conf/httpd.conf
from mod_oauth2.
172.27.0.1 - - [23/Aug/2021:18:16:15 +0000] "POST /someLocation/resources/x.y/doIt HTTP/1.1" 401 381
double free or corruption (fasttop)
172.27.0.1 - FLCm7KqMmt-CnMOKmf1EpJYd5wbPUdJ8ILQPO_TT09Q [23/Aug/2021:18:16:15 +0000] "POST /someLocation/resources/x.y/alsoDoIt/F443EE26 HTTP/1.1" 200 186
[Mon Aug 23 18:16:16.117599 2021] [core:notice] [pid 1:tid 140301462574208] AH00052: child pid 93 exit signal Aborted (6)
I think I upgraded to the lastest version of your libraries. And still got the error. I seem to get it in conjunctions with my Android device having a network blip.
FROM httpd:2.4
RUN mkdir -p /tmp
COPY libhiredis0.13_0.13.3-2.2_amd64.deb /tmp/libhiredis0.13_0.13.3-2.2_amd64.deb
COPY libcjose0_0.6.1.5-1_bionic+1_amd64.deb /tmp/libcjose0_0.6.1.5-1_bionic+1_amd64.deb
COPY liboauth2_1.4.3-1.bionic+1_amd64.deb /tmp/liboauth2_1.4.3-1.bionic+1_amd64.deb
COPY liboauth2-apache_1.4.3-1.bionic+1_amd64.deb /tmp/liboauth2-apache_1.4.3-1.bionic+1_amd64.deb
COPY libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb /tmp/libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb
COPY libapache2-mod-auth-openidc_2.4.9.2-1.bionic+1_amd64.deb /tmp/libapache2-mod-auth-openidc_2.4.9.2-1.bionic+1_amd64.deb
RUN apt-get update &&
apt-get install -y ca-certificates apache2 libmemcached-dev
run dpkg -i /tmp/libhiredis0.13_0.13.3-2.2_amd64.deb
run dpkg -i /tmp/libcjose0_0.6.1.5-1_bionic+1_amd64.deb
run dpkg -i /tmp/liboauth2_1.4.3-1.bionic+1_amd64.deb
run dpkg -i /tmp/liboauth2-apache_1.4.3-1.bionic+1_amd64.deb
run dpkg -i /tmp/libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb
run dpkg -i /tmp/libapache2-mod-auth-openidc_2.4.9.2-1.bionic+1_amd64.deb
RUN echo "LoadModule proxy_module modules/mod_proxy.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule proxy_http_module modules/mod_proxy_http.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule ssl_module modules/mod_ssl.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule oauth2_module /usr/lib/apache2/modules/mod_oauth2.so" >> /usr/local/apache2/conf/httpd.conf
RUN echo "LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so" >> /usr/local/apache2/conf/httpd.conf
RUN mkdir /usr/local/apache2/conf-available
RUN touch /usr/local/apache2/conf-available/custom.conf
RUN echo "Include conf-available/custom.conf" >> /usr/local/apache2/conf/httpd.conf
from mod_oauth2.
I'm not able to reproduce: can you set the log level to debug and send me the error_log?
from mod_oauth2.
What is the best way to send you the error log? with a link? Can I email it to you anywhere?
from mod_oauth2.
you can send it to [email protected]
from mod_oauth2.
Just checking in. Did you receive my email and logs?
from mod_oauth2.
I did but unfortunately it did not help me to reproduce so I have nothing to work from :-(
from mod_oauth2.
Any chance there are newer versions of these libraries and I'm just out of date?
COPY libhiredis0.13_0.13.3-2.2_amd64.deb /tmp/libhiredis0.13_0.13.3-2.2_amd64.deb
COPY libcjose0_0.6.1.5-1_bionic+1_amd64.deb /tmp/libcjose0_0.6.1.5-1_bionic+1_amd64.deb
COPY libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb /tmp/libapache2-mod-oauth2_3.2.0-1.bionic+1_amd64.deb
from mod_oauth2.
I tried to reproduce with your Dockerfile+versions, but no luck
from mod_oauth2.
Also to be sure. I feel that the issue is with our Android application (using OkHttp), and if the network blips on the Android device, that's when I get the 401. It also seems like for some reason that there is some sort of timing. I'm going to write some other tests to see if I can repeat this easier.
from mod_oauth2.
I've spent some more time trying to re-produce or find out what is going on. Based on your chance to look at the logs, do you have any clues on what is going on? Is it bad or partial data coming in? Is there something in the module that might be a problem? I'm kinda at a loss of where to dig.
from mod_oauth2.
I'm lost too; I would assume that partial data would lead to other, Apache-level errors
from mod_oauth2.
a double free error was solved in liboauth 1.4.4.1 https://github.com/zmartzone/liboauth2/releases/tag/v1.4.4.1; could this fix your issue as well? @GRRedWings please confirm
from mod_oauth2.
I just updated everything and tested (1.4.4.2). This did not fix my problem. I still have not been able to track it down. But I know if I try to make calls from my laptop I don't get the issue. But if I make them from an Android device using appauth for Android I do still get the issues in certain scenarios.
from mod_oauth2.
I'm trying to gather come more information. But here is what I have so far.
If I increase logging to trace8, it seems like the problem doesn't happen.
At trace6 I got these logs around the failure.
[Mon Jul 25 11:21:19.319811 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/jose.c(934): [client 172.26.0.1:41202] _oauth2_jose_jwt_verify_jwk: leave: rc=0
[Mon Jul 25 11:21:19.319813 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/jose.c(1333): [client 172.26.0.1:41202] oauth2_jose_jwt_verify: leave: 0
[Mon Jul 25 11:21:19.319814 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/oauth2.c(848): [client 172.26.0.1:41202] oauth2_token_verify: leave: 0
[Mon Jul 25 11:21:19.319814 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/server/apache.c(364): [client 172.26.0.1:41202] oauth2_apache_return_www_authenticate: enter
[Mon Jul 25 11:21:19.319816 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/server/apache.c(456): [client 172.26.0.1:41202] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Token could not be verified."
[Mon Jul 25 11:21:19.319818 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/server/apache.c(388): [client 172.26.0.1:41202] oauth2_apache_return_www_authenticate: leave
[Mon Jul 25 11:21:19.319818 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/mod_oauth2.c(144): [client 172.26.0.1:41202] oauth2_request_handler: leave
[Mon Jul 25 11:21:19.319819 2022] [core:trace3] [pid 93:tid 140228215936768] request.c(120): [client 172.26.0.1:41202] auth phase 'check user' gave status 401: /my/resources/v1.0/log/C6565BB1
[Mon Jul 25 11:21:19.319840 2022] [headers:debug] [pid 93:tid 140228215936768] mod_headers.c(890): AH01503: headers: ap_headers_error_filter()
[Mon Jul 25 11:21:19.319851 2022] [http:trace3] [pid 93:tid 140228215936768] http_filters.c(1129): [client 172.26.0.1:41202] Response sent with status 401, headers:
[Mon Jul 25 11:21:19.319852 2022] [http:trace5] [pid 93:tid 140228215936768] http_filters.c(1138): [client 172.26.0.1:41202] Date: Mon, 25 Jul 2022 11:21:19 GMT
[Mon Jul 25 11:21:19.319852 2022] [http:trace5] [pid 93:tid 140228215936768] http_filters.c(1141): [client 172.26.0.1:41202] Server: Apache
[Mon Jul 25 11:21:19.319853 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Access-Control-Allow-Credentials: true
[Mon Jul 25 11:21:19.319854 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Access-Control-Allow-Origin: my-server:8080
[Mon Jul 25 11:21:19.319855 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
[Mon Jul 25 11:21:19.319855 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Access-Control-Max-Age: 1000
[Mon Jul 25 11:21:19.319856 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
[Mon Jul 25 11:21:19.319857 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] WWW-Authenticate: Bearer error=\"invalid_token\", error_description=\"Token could not be verified.\"
[Mon Jul 25 11:21:19.319858 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Content-Length: 381
[Mon Jul 25 11:21:19.319860 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Keep-Alive: timeout=5, max=100
[Mon Jul 25 11:21:19.319860 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Connection: Keep-Alive
[Mon Jul 25 11:21:19.319881 2022] [http:trace4] [pid 93:tid 140228215936768] http_filters.c(959): [client 172.26.0.1:41202] Content-Type: text/html; charset=iso-8859-1
[Mon Jul 25 11:21:19.319884 2022] [ssl:trace4] [pid 93:tid 140228215936768] ssl_engine_io.c(1853): [client 172.26.0.1:41202] coalesce: have 0 bytes, adding 598 more (buckets=1)
[Mon Jul 25 11:21:19.319885 2022] [ssl:trace4] [pid 93:tid 140228215936768] ssl_engine_io.c(1853): [client 172.26.0.1:41202] coalesce: have 598 bytes, adding 381 more (buckets=1)
[Mon Jul 25 11:21:19.319886 2022] [ssl:trace4] [pid 93:tid 140228215936768] ssl_engine_io.c(1916): [client 172.26.0.1:41202] coalesce: passing on 979 bytes
[Mon Jul 25 11:21:19.319888 2022] [ssl:trace6] [pid 93:tid 140228215936768] ssl_engine_io.c(891): [client 172.26.0.1:41202] ssl_filter_write: 979 bytes
[Mon Jul 25 11:21:19.319912 2022] [ssl:trace6] [pid 93:tid 140228215936768] ssl_engine_io.c(218): [client 172.26.0.1:41202] bio_filter_out_write: 1001 bytes
[Mon Jul 25 11:21:19.319921 2022] [ssl:trace4] [pid 93:tid 140228215936768] ssl_engine_io.c(2401): [client 172.26.0.1:41202] OpenSSL: write 1001/1001 bytes to BIO#7f895000bfb0 [mem: 7f892c004cc3]
[Mon Jul 25 11:21:19.319928 2022] [ssl:trace4] [pid 93:tid 140228215936768] ssl_engine_io.c(2411): [client 172.26.0.1:41202] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f894c00a6c0 [mem: 7f892c004cc3]
172.26.0.1 - - [25/Jul/2022:11:21:19 +0000] "POST /my/resources/v1.0/log/C6565BB1 HTTP/1.1" 401 381
[Mon Jul 25 11:21:19.319965 2022] [core:trace6] [pid 93:tid 140228215936768] core_filters.c(828): [client 172.26.0.1:41202] writev_nonblocking: 1001/1001
[Mon Jul 25 11:21:19.319993 2022] [oauth2:debug] [pid 93:tid 140228215936768] src/server/apache.c(332): [client 172.26.0.1:41202] oauth2_apache_request_context_free: dispose request context: 0x7f892c00bb70
double free or corruption (fasttop)
[Mon Jul 25 11:21:19.499844 2022] [core:notice] [pid 1:tid 140229033639232] AH00052: child pid 93 exit signal Aborted (6)
[Mon Jul 25 11:21:19.499880 2022] [core:trace4] [pid 1:tid 140229033639232] mpm_common.c(538): mpm child 93 (gen 0/slot 3) exited
[Mon Jul 25 11:21:19.499882 2022] [mpm_event:debug] [pid 1:tid 140229033639232] event.c(715): Child 3 stopped: pid 93, gen 0, active 3/16, total 3/4/16, quiescing 0
[Mon Jul 25 11:21:19.500430 2022] [core:trace4] [pid 1:tid 140229033639232] mpm_common.c(538): mpm child 121 (gen 0/slot 3) started
[Mon Jul 25 11:21:19.500449 2022] [mpm_event:debug] [pid 1:tid 140229033639232] event.c(740): Child 3 started: pid 121, gen 0, active 4/16, total 4/4/16
from mod_oauth2.
it seems that the crash happens only after the token fails to verify and an attempt is made to return a legitimate 401 error; the logs just before would show why the token fails to validate and may provide more insight into what is going on
from mod_oauth2.
Thank you for looking at this. I have sent you an email with the full log.
from mod_oauth2.
In looking at the logs prior, it almost looks like maybe it's an issue with the timeout. If I change my expiry from 5 to 60, in my short test window it has not happened.
(expires=1658748075, now=1658748070)
It almost seems like my expiry is not long enough. I've set it to 5, and maybe when I have a network blip it's not enough time?
from mod_oauth2.
this should be fixed now in release 1.4.5 of liboauth2:
https://github.com/zmartzone/liboauth2/releases/tag/v1.4.5
the issue would only appear with mod_oauth2 when using:
OAuth2TokenVerify jwk <key>
and was caused by using non-thread-safe functions cjose_jwk_retain
and cjose_jwk_release
in a multi-threaded setting
from mod_oauth2.
I've done a bit of testing and I have not had the issue come up again. I think it's safe to say that you found my issue! I appreciate you spending the time to dig into this.
from mod_oauth2.
Related Issues (20)
- Error Using Pubkey HOT 4
- Trouble setting up on Centos 7 HOT 6
- How to Rewrite HTTP_AUTHORIZATION header with claims from token? HOT 1
- Exp not being honored properly for jwk HOT 4
- open Discussions like in mod_auth_openidc... HOT 1
- Please add support for RH8 HOT 1
- Fatal error: httpd.h when compile HOT 2
- Can't locate API module structure 'mod_oauth2' HOT 16
- Outgoing_proxy not taken in account HOT 7
- How to match scope value made up of multiple words HOT 13
- Occasional core dump under high load HOT 1
- Cache value size is too large HOT 1
- Export access token claims HOT 2
- Can you please provide builds for jammy / Ubuntu 22.04 ? HOT 1
- Segmentation fault when request is proxied without Authorization header. HOT 4
- Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope HOT 4
- oauth2: token could not be verified even with a valid token HOT 5
- mod_oauth2 3.3.1 does not install on fedora 37 HOT 5
- How to verify and decode multiple tokens ? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mod_oauth2.