Reputation: 56
mod_auth_openidc get claims as http headers for public location (all granted)
I have configured mod_auth_openidc on an apache 2.4 server. Everything is working ok for protected locations. For those resources the backend applications (PHP script or reverse proxied application) receive the claims as HTTP headers OIDC_xxx.
On this web server I also have public locations. Nevertheless if an authenticated user hits ones of those resource, I would also like to receive the OIDC headers.
My httpd config looks like
<Location /private>
AuthType openid-connect
<RequireAll>
Require valid-user
Require claim groups:B2C
</RequireAll>
</Location>
<Location /public>
AuthType openid-connect
<RequireAny>
Require valid-user
Require all granted
</RequireAny>
</Location>
The private location is well protected by the oidc provider and HTTP headers are pouplated. The public location can be reached by unauthenticated users (require all granted); but nevertheless is there a way to configure httpd and mod_auth_openidc to popûlate the headers for authenticated users hitting the public location. The above configuration does not do it in any case (no OIDC_ headers).
Thanks.
Upvotes: 2
Views: 3250
Answers (2)
Reputation: 1653
For the benefit of others trying to get a complete working configuration that has an app with lazy sessions with a login within the app area, here is an example:
<Location /app/>
AuthType openid-connect
Require valid-user
OIDCUnAuthAction pass
</Location>
<LocationMatch /app/(login|redirect)>
OIDCUnAuthAction auth
</LocationMatch>
where /app/ is the app area, and /app/login is the login URL, and /app/redirect is the redirect set in OIDCRedirectURI.
Upvotes: 1
Reputation: 54118
There's a way to configure this so-called "lazy sessions" by using:
OIDCUnAuthAction pass
in that particular location, see the docs for the OIDCUnAuthAction primitive:
Defines the action to be taken when an unauthenticated request is made.
"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
"401" means that HTTP 401 Unauthorized is returned.
"410" means that HTTP 410 Gone is returned.
"pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already.Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access".
When not defined the default "auth" is used.
OIDCUnAuthAction [auth|pass|401|410]
Upvotes: 2
Related Questions
- How to pass user's claim to upstream layer using mod_auth_openidc?
- authentication for custom web application with mod_auth_openidc
- mod_auth_openidc with Apache2.4 reverse proxy
- Unprotect a particular <Location> when the entire site is protected with mod-auth-openidc
- Apache server not allowing Authorization Header in http request
- mod_auth_openidc OIDCProviderMetadataURL response in xml
- Proper WWW-Authenticate header for OAuth provider
- expire or redirect http of 401 for mod_auth_openidc
- mod_auth_openidc How to configure empty OIDCClaimPrefix in mod_auth_openidc.conf
- OpenAuth .Net Claims Request is always null