search

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens
Other
79 stars 46 forks source link

Missing Authorization header even though one is set #57

Closed simon-payne-informa closed 2 years ago

simon-payne-informa commented 3 years ago

Hi Anthony,

I am trying to integrate your module into an Apache 2.4 server on Centos 7 running in a Docker container. This is to meet a requirement for the client to supply a valid JWT before allowing proxying of a request through Apache to a destination API.

The client supplies a header named X-Custom-Auth-Header (this is constrained by other components and the header name cannot be changed to be more standard); my idea is to turn it into an Authorization: Bearer ... header so that mod_authnz_jwt can validate the token before granting the access request.

Here is the configuration in the virtual host that contains the proxy:


RequestHeader set Authorization "Bearer %{X-Custom-Auth-Header}e"

<IfModule auth_jwt_module>
    AuthJWTSignatureAlgorithm HS512
    AuthJWTSignatureSharedSecret xxxx
</IfModule>

<LocationMatch "/gosomewhere">
    ProxyPass https://api.somewhere.com
    ProxyPassReverse https://api.somewhere.com
    RequestHeader set X-APIKey yyyy
    <IfModule auth_jwt_module>
        AllowOverride None
        AuthType jwt
        AuthName "private area"
        AuthJWTAttributeUsername username
        Require valid-user
    </IfModule>
</LocationMatch>

The error I get in the Apache logs is :

[authz_core:debug] mod_authz_core.c(818):  AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_jwt:debug] mod_authnz_jwt.c(1056):  AH55400: auth_jwt: checking authentication with token...
[auth_jwt:debug] mod_authnz_jwt.c(1072): AH55400: auth_jwt: authSubType
[auth_jwt:debug] mod_authnz_jwt.c(1081):  AH55400: auth_jwt: delivery_type 2
[auth_jwt:debug] mod_authnz_jwt.c(1094):  AH55402: auth_jwt authn: reading Authorization header...
[auth_jwt:error] AH55404: auth_jwt authn: missing Authorization header, responding with WWW-Authenticate header...

It seems that it is erroring at a stage before the RequestHeader set Authorization ... line. Is it possible to work around this, and if so, please can you advise what I need to do in order to get the Authorization header to be detected by mod_authnz_jwt?

Thank you.

Simon Payne

AnthonyDeroche commented 3 years ago

Hi,

RequestHeader is applied at the end of the request processing by default. You can add "early" keyword at the end of the directive to have the header set as soon as possible.

Take a look at "Early and late processing" in https://httpd.apache.org/docs/current/mod/mod_headers.html.

Anthony

simon-payne-informa commented 3 years ago

Hi,

Thanks for that, it has given me some progress. With the early keyword added, I now get this:

[auth_jwt:debug] mod_authnz_jwt.c(1120): AH55402: auth_jwt authn: reading Authorization header...
[auth_jwt:debug] mod_authnz_jwt.c(1169): AH55405: auth_jwt authn: checking signature and fields correctness...
[auth_jwt:error] AH55512: Decoding process has failed, token is either malformed or signature is invalid

So it appears to now have the Authorization header, but I guess the value is garbled or unassigned. I suspect I'll just have to dig away at it to find out why.

thanks for your help.

Simon