Reputation: 1
mod_auth_openidc error 400 Bad Request - too many cookies (?)
I have a container mapped by Nginx on example.org/portia/test, structured as follow:
- Container exposes only port 9001, where an Apache instance as proxy is listening.
- A Django server is running on 8000, all traffic for /api and /server_capabilities is sent to him.
- Another Django server is running on 9002, which handles websockets on /ws path.
I'm trying to add OpenIdConnect authentication using the mod_auth_openidc plugin for Apache, I want to protect the entire virtual host.
So far I reach the correct login page on auth-example.org, I login with my credentials and the auth server redirects me with the correct URI. Ngnix answers me with a 400 error.
request sent with a lot of cookies
The auth server is used by several application inside mydomain.org, so I guess something is wrong with my Apache configuration file.
For clarity's sake, I can't touch Nginx or the auth server confs.
apache_site.conf
<VirtualHost *:9001>
ServerAdmin webmaster@localhost
DocumentRoot /app/portiaui/dist
ServerName www.example.org
ServerAlias example.org
#ProxyRequests On
Alias /static /app/portiaui/dist
OIDCProviderMetadataURL https://www.auth-example.org/auth/realms/master/.wel$
OIDCRedirectURI https://example.org/portia/test/callback
OIDCCryptoPassphrase <much secret>
OIDCClientID portia
OIDCClientSecret <much private>
OIDCCookiePath example.org/portia/test/
OIDCCookieDomain example.org
<Location /static>
Require all granted
</Location>
<Location /api>
Require all granted
ProxyPass http://127.0.0.1:8000/api
ProxyPassReverse http://127.0.0.1:8000/api
ProxyPreserveHost On
</Location>
<Location /server_capabilities>
Require all granted
ProxyPass http://127.0.0.1:8000/server_capabilities
ProxyPassReverse http://127.0.0.1:8000/server_capabilities
ProxyPreserveHost On
</Location>
<Location /ws> # mod_proxy_wstunnel is enabled
RequestHeader set Host "127.0.0.1:9002"
ProxyPreserveHost On
ProxyPass http://127.0.0.1:9002/ws
ProxyPassReverse http://127.0.0.1:9002/ws
</Location>
<Location />
AuthType openid-connect
Require valid-user
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Upvotes: 0
Views: 1993
Answers (2)
Reputation: 21
The answer of Hans Z. suggests me to change also OIDCRedirectURI in a relative path.
Setting OIDCRedirectURI /callbacksolved the issue: my Apache instance doesn't receives the entire URL www.example.org/portia/test/callback but only the last part of the path. This is due to the front side Nginx instance.
Upvotes: 0
Reputation: 54118
The cookie path setting in OIDCCookiePath only needs to contain the actual path, not the host. In fact I'd start without using any of OIDCCookiePath or OIDCCookieDomain.
Upvotes: 0
Related Questions
- Redirect Loop while using Apache mod auth openidc module
- Too many cookies OpenIdConnect.nonce cause error page "Bad Request - Request Too Long"
- mod_auth_openidc with Apache2.4 reverse proxy
- ASP OpenID Connect: Bad Request, request too long
- Too many OpenID.nonce cookies cause "Bad Request"
- Apache: "AuthType not set!" 500 Error
- Apache2 mod_auth_form too many redirects under Location
- Apache doesn't recognize mod_auth_openidc commands
- Apache: “AuthType not set!” 500 Error
- Apache restart failed after adding OpenID Connect module