Comments (5)
zandbelt
commented on June 18, 2024
I don't think the token is presented right since the Authorization header does not show up in the _oauth2_http_request_header_set_add_sanitized traces , nor oauth2_nv_list_get: Authorization=(null) but I would firstly comment out Auth2AcceptTokenIn header name=Authorization since you want to go with the default, which interprets a "bearer" variant
from mod_oauth2.
aniabraham
commented on June 18, 2024
Commented out Auth2AcceptTokenIn header name=Authorization and that didn't work.
You might be right about the Authorization header not being present but it is in fact present in the request the client makes but Apache is probably removing it. Curious to know why it doesn't remove the authorization header with the OAuth 2.0 Resource Server module.
from mod_oauth2.
kannan-saran
commented on June 18, 2024
Similar invalid_token issue but different cause for remote user. Please clarify if anything missing
WWW-Authenticate: Bearer error="invalid_token", error_description="Could not determine remote user."
Apache configuration:
AuthType oauth2
OAuth2TokenVerify introspect https://somefqdn.com/atoken/introspection introspect.ssl_verify=false&introspect.auth=client_secret_post&client_id=someclientID&client_secret=somesecret
Require valid-user
logs:
[Wed Oct 14 13:25:47.316907 2020] [authz_core:debug] [pid 12113:tid 139649737496320] mod_authz_core.c(818): [client 3.233.78.13:1564] AH01626: authorization result
of Require valid-user : denied (no authenticated user yet)
[Wed Oct 14 13:25:47.316920 2020] [authz_core:debug] [pid 12113:tid 139649737496320] mod_authz_core.c(818): [client 3.233.78.13:1564] AH01626: authorization result
of : denied (no authenticated user yet)
[Wed Oct 14 13:25:47.316939 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(154): [client 3.233.78.13:1564] _oauth2_http_request_header_set_add_san
itized: Host: xxxx
[Wed Oct 14 13:25:47.316947 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(154): [client 3.233.78.13:1564] _oauth2_http_request_header_set_add_san
itized: User-Agent: curl/7.70.0
[Wed Oct 14 13:25:47.316951 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(154): [client 3.233.78.13:1564] _oauth2_http_request_header_set_add_san
itized: Accept: /
[Wed Oct 14 13:25:47.316955 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(154): [client 3.233.78.13:1564] _oauth2_http_request_header_set_add_san
itized: Authorization: Bearer 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.316959 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(154): [client 3.233.78.13:1564] oauth2_http_request_header_set_add_san
itized: access_token: 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.316963 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/server/apache.c(280): [client 3.233.78.13:1564] oauth2_apache_request_context
init: created request context: 0x7f02b4010380
[Wed Oct 14 13:25:47.316971 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/mod_oauth2.c(190): [client 3.233.78.13:1564] oauth2_check_user_id_handler: inc
oming request: "/index.html?(null)" ap_is_initial_req=1
[Wed Oct 14 13:25:47.316975 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/mod_oauth2.c(107): [client 3.233.78.13:1564] oauth2_request_handler: enter
[Wed Oct 14 13:25:47.316980 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/proto.c(212): [client 3.233.78.13:1564] _oauth2_get_source_token_from_envvar:
enter
[Wed Oct 14 13:25:47.316985 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/server/apache.c(491): [client 3.233.78.13:1564] oauth2_apache_get_envvar: get
environment variable: access_token
[Wed Oct 14 13:25:47.316988 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/proto.c(226): [client 3.233.78.13:1564] _oauth2_get_source_token_from_envvar: no source token found in access_token environment variable
[Wed Oct 14 13:25:47.316991 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/proto.c(45): [client 3.233.78.13:1564] _oauth2_get_source_token_from_header: enter
[Wed Oct 14 13:25:47.316995 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(905): [client 3.233.78.13:1564] oauth2_nv_list_get: Authorization=Bearer 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.316999 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/proto.c(58): [client 3.233.78.13:1564] _oauth2_get_source_token_from_header: Authorization header found
[Wed Oct 14 13:25:47.317003 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/proto.c(84): [client 3.233.78.13:1564] _oauth2_get_source_token_from_header: leave: 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.317006 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/oauth2.c(706): [client 3.233.78.13:1564] oauth2_token_verify: enter
[Wed Oct 14 13:25:47.317009 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(402): [client 3.233.78.13:1564] oauth2_cache_get: enter: key=0003VsrMnN0s58CXeK0yLbOfVRqn, type=shm, decrypt=0
[Wed Oct 14 13:25:47.317013 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(371): [client 3.233.78.13:1564] _oauth2_cache_hash_key: enter: key=0003VsrMnN0s58CXeK0yLbOfVRqn, algo=(null)
[Wed Oct 14 13:25:47.317016 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/jose.c(117): [client 3.233.78.13:1564] oauth2_jose_hash_bytes: enter
[Wed Oct 14 13:25:47.317057 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/jose.c(167): [client 3.233.78.13:1564] oauth2_jose_hash_bytes: leave: 1
[Wed Oct 14 13:25:47.317072 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(386): [client 3.233.78.13:1564] _oauth2_cache_hash_key: leave: hashed key: cc7219952e99c08ddee9df2e62bbe3855133866be7bda6ac1379cba64b887bd5
[Wed Oct 14 13:25:47.317075 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache/shm.c(251): [client 3.233.78.13:1564] oauth2_cache_shm_get: enter
[Wed Oct 14 13:25:47.317748 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache/shm.c(309): [client 3.233.78.13:1564] oauth2_cache_shm_get: leave: 1
[Wed Oct 14 13:25:47.317762 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(429): [client 3.233.78.13:1564] oauth2_cache_get: leave: cache miss for key: 0003VsrMnN0s58CXeK0yLbOfVRqn return: 0 bytes
[Wed Oct 14 13:25:47.317765 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/oauth2.c(376): [client 3.233.78.13:1564] _oauth2_introspect_verify: enter
[Wed Oct 14 13:25:47.317772 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(738): [client 3.233.78.13:1564] _oauth2_http_url_encode_list: processing: token=0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.317775 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: token
[Wed Oct 14 13:25:47.317813 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: token
[Wed Oct 14 13:25:47.317822 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.317827 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.317832 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(738): [client 3.233.78.13:1564] _oauth2_http_url_encode_list: processing: token_type_hint=access_token
[Wed Oct 14 13:25:47.317834 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: token_type_hint
[Wed Oct 14 13:25:47.317839 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: token_type_hint
[Wed Oct 14 13:25:47.317841 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: access_token
[Wed Oct 14 13:25:47.317845 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: access_token
[Wed Oct 14 13:25:47.317849 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(738): [client 3.233.78.13:1564] _oauth2_http_url_encode_list: processing: client_id=someclientID
[Wed Oct 14 13:25:47.317852 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: client_id
[Wed Oct 14 13:25:47.317856 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: client_id
[Wed Oct 14 13:25:47.317861 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: someclientID
[Wed Oct 14 13:25:47.317866 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: someclientID
[Wed Oct 14 13:25:47.317869 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(738): [client 3.233.78.13:1564] _oauth2_http_url_encode_list: processing: client_secret=somesecret
[Wed Oct 14 13:25:47.317872 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: client_secret
[Wed Oct 14 13:25:47.317876 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: client_secret
[Wed Oct 14 13:25:47.317879 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(264): [client 3.233.78.13:1564] oauth2_url_encode: enter: somesecret
[Wed Oct 14 13:25:47.317883 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/util.c(289): [client 3.233.78.13:1564] oauth2_url_encode: leave: somesecret
[Wed Oct 14 13:25:47.317887 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(814): [client 3.233.78.13:1564] oauth2_http_url_form_encode: data=token
=0003VsrMnN0s58CXeK0yLbOfVRqn&token_type_hint=access_token&client_id=someclientID&client_secret=somesecret
[Wed Oct 14 13:25:47.317897 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(910): [client 3.233.78.13:1564] oauth2_http_call: enter: url=https://somefqdn.com/atoken/introspection, data=token=0003VsrMnN0s58CXeK0yLbOfVRqn&token_type_hint=access_token&client_id=someclientID&client_secret=somesecret, ctx=[ hdr=[ Content-Type=application/x-www-form-urlencoded ] cookie=[ ] ]
[Wed Oct 14 13:25:47.792899 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(1032): [client 3.233.78.13:1564] oauth2_http_call: HTTP response code=200
[Wed Oct 14 13:25:47.793081 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/http.c(1051): [client 3.233.78.13:1564] oauth2_http_call: leave [1]: {"scope":"openid profile","active":true,"token_type":"Bearer","exp":1602698580,"client_id":"someclientID","username":"someuser"}
[Wed Oct 14 13:25:47.793182 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/oauth2.c(451): [client 3.233.78.13:1564] _oauth2_introspect_verify: leave: 1
[Wed Oct 14 13:25:47.793195 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(450): [client 3.233.78.13:1564] oauth2_cache_set: enter: key=0003VsrMnN0s58CXeK0yLbOfVRqn, len=134, ttl(s)=300, type=shm, encrypt=0
[Wed Oct 14 13:25:47.793200 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(371): [client 3.233.78.13:1564] _oauth2_cache_hash_key: enter: key=0003VsrMnN0s58CXeK0yLbOfVRqn, algo=(null)
[Wed Oct 14 13:25:47.793204 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/jose.c(117): [client 3.233.78.13:1564] oauth2_jose_hash_bytes: enter
[Wed Oct 14 13:25:47.793222 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/jose.c(167): [client 3.233.78.13:1564] oauth2_jose_hash_bytes: leave: 1
[Wed Oct 14 13:25:47.793231 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(386): [client 3.233.78.13:1564] _oauth2_cache_hash_key: leave: hashed key: cc7219952e99c08ddee9df2e62bbe3855133866be7bda6ac1379cba64b887bd5
[Wed Oct 14 13:25:47.793234 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache/shm.c(341): [client 3.233.78.13:1564] oauth2_cache_shm_set: enter
[Wed Oct 14 13:25:47.793265 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache/shm.c(437): [client 3.233.78.13:1564] oauth2_cache_shm_set: leave: 1
[Wed Oct 14 13:25:47.793274 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/cache.c(479): [client 3.233.78.13:1564] oauth2_cache_set: leave: successfully stored: 0003VsrMnN0s58CXeK0yLbOfVRqn
[Wed Oct 14 13:25:47.793278 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/oauth2.c(736): [client 3.233.78.13:1564] oauth2_token_verify: leave: 1
[Wed Oct 14 13:25:47.793283 2020] [oauth2:error] [pid 12113:tid 139649737496320] [client 3.233.78.13:1564] oauth2_apache_set_request_user: remote user claim could not be found
[Wed Oct 14 13:25:47.793286 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/server/apache.c(321): [client 3.233.78.13:1564] oauth2_apache_return_www_authenticate: enter
[Wed Oct 14 13:25:47.793292 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/server/apache.c(413): [client 3.233.78.13:1564] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Could not determine remote user."
[Wed Oct 14 13:25:47.793297 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/server/apache.c(345): [client 3.233.78.13:1564] oauth2_apache_return_www_authenticate: leave
[Wed Oct 14 13:25:47.793300 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/mod_oauth2.c(153): [client 3.233.78.13:1564] oauth2_request_handler: leave
[Wed Oct 14 13:25:47.793526 2020] [oauth2:debug] [pid 12113:tid 139649737496320] src/server/apache.c(289): [client 3.233.78.13:1564] oauth2_apache_request_context_free: dispose request context: 0x7f02b4010380
from mod_oauth2.
kannan-saran
commented on June 18, 2024
@zandbelt could you look into the above log and suggest if anything missing
from mod_oauth2.
zandbelt
commented on June 18, 2024
by default it looks for the "sub" claim; you'll need to provide that claim or change it via OAuth2TargetPass
from mod_oauth2.
Related Issues (20)
- Exp not being honored properly for jwk HOT 4
- open Discussions like in mod_auth_openidc... HOT 1
- Please add support for RH8 HOT 1
- Fatal error: httpd.h when compile HOT 2
- Can't locate API module structure 'mod_oauth2' HOT 16
- 401 error when network hiccups HOT 23
- Outgoing_proxy not taken in account HOT 7
- How to match scope value made up of multiple words HOT 13
- Occasional core dump under high load HOT 1
- Cache value size is too large HOT 1
- Export access token claims HOT 2
- Can you please provide builds for jammy / Ubuntu 22.04 ? HOT 1
- Segmentation fault when request is proxied without Authorization header. HOT 4
- Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope HOT 4
- oauth2: token could not be verified even with a valid token HOT 5
- mod_oauth2 3.3.1 does not install on fedora 37 HOT 5
- How to verify and decode multiple tokens ? HOT 4
- How to set a password for redis caching? HOT 1
- Access Token - module doesn't validate HOT 4
- Redis ACL (user/pass) support? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mod_oauth2.