search

OpenIDC / mod_auth_openidc

OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
Apache License 2.0
990 stars 327 forks source link

Apache2 OIDC and reverse proxy for tomcat application #1103

Closed aashishagarwal closed 1 year ago

aashishagarwal commented 1 year ago

Discussed in https://github.com/OpenIDC/mod_auth_openidc/discussions/1102

Originally posted by **aashishagarwal** September 7, 2023 We are trying to integrate Apache2 OIDC with Forgerock . And we have several java/.net app where requests will be proxied based on the path. I have tried lot of things but not able to make this work. I am confused about RedirectURI, not sure what that url should be, it should HTTP header 204 (No content) or a not valid URL which doesn't exist. My config is available below, Apache `running on 80` Tomcat `running on 8080` context path `/test` when I hit `http://host-ip/test` , it goes to forgerock and get authenticated and comes back to redirect url request flow : 1. `GET http:///test` `status code 302` 2. `GET http:// with redirect uri and client id` `status code 302` 3. After authentication at forgerock, `GET - http:///test/callback` `status code 200` 4. Another request, `POST - http:///test/callback` `status code 500` There is no real url exist `which can return 200 on http:///test/callback` on tomcat following paths are available : `/test`, `/test/hello`, `/test/listHeaders` Apache Config ` ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so OIDCProviderMetadataURL https:///fgram/oauth2/.well-known/openid-configuration OIDCProviderJwksUri https:///fgram/oauth2/connect/jwk_uri OIDCOutgoingProxy OIDCClientID OIDCClientSecret # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content OIDCRedirectURI http:///test/callback OIDCCryptoPassphrase secret OIDCScope "profile openid groups" AuthType openid-connect AuthType openid-connect Require valid-user AuthType openid-connect AuthType openid-connect Require valid-user ProxyPreserveHost On ProxyPass http://:8080/test/ ProxyPassReverse http://:8080/test/ LogLevel Debug ` can someone please help me to understand what's incorrect in this whole flow. What should be my redirectURI in this case.
github-actions[bot] commented 1 year ago

https://github.com/OpenIDC/mod_auth_openidc/wiki#20-why-is-my-ticket-closed-as-invalid