OpenIDC / mod_auth_openidc

OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
Apache License 2.0
990 stars 327 forks source link

Could not using google openid connect provider #12

Closed fauguste closed 10 years ago

fauguste commented 10 years ago

Hi,

I have some problems to use your apache module with Google provider.

I am using Ubuntu 14.04 and libapache2-mod-auth-openidc_1.4_amd64.deb

I enabled auth_openidc.load and auth_openidc.conf (withour modification).

I added the following lines in my apache conf :

OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs

OIDCClientID 964313367974-j3d4b43j1vjuoa01dv06bt9nrpl5g7ek.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXX

OIDCScope "openid email profile"
OIDCRedirectURI http://exemple.com/exemple/callback/
OIDCCryptoPassphrase blabla
OIDCCookiePath /
<Location /exemple/>
   AuthType openid-connect
   Require valid-user
</Location>
</VirtualHost>

I have an error 500 and these lines in my error log :

oidc_restore_proto_state: no "mod_auth_openidc_state" state cookie found
oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response
oidc_authorization_response_match_state: unable to restore state

Can you see what happend ?

Thanks, Fred

zandbelt commented 10 years ago

Firstly you'll have ensure that you access the protected content on under the same protocol (http/https)/hostname/port as in the OIDCRedirectURI setting. Both values are visible in the logs in an entry like:

oidc_proto_authorization_request: entering (issuer=<issuer>, redirect_uri=<redirect_uri>, original_url=<original_url>, state=<state>, nonce=<nonce>)

So protocol/host/port of redirect_uri must match that of original_url. I'll add a check that prints out a warning if they don't match, but let me know if this is the cause of your problem.

fauguste commented 10 years ago

Yes, redirect_uri and original_url are the same :

[Thu Jun 05 07:26:50.646194 2014] [:debug] [pid 8781] src/proto.c(120): [client 176.183.84.57:51466] oidc_proto_authorization_request: entering (issuer=accounts.google.com, redirect_uri=http://ec2-54-217-104-54.eu-west-1.compute.amazonaws.com/exemple/callback/, original_url=http://ec2-54-217-104-54.eu-west-1.compute.amazonaws.com/exemple/, state=XXXXXXXXXXXXXXXXXXXXX, nonce=(null))
zandbelt commented 10 years ago

there was a bug in the fact that Cookies we're only set with a "Secure" flag, even if on plain HTTP; that if fixed now

nevertheless, in production, one should not run authenticated user sessions over plain HTTP

fauguste commented 10 years ago

Thanks, obviously, I will use HTTPS in production.

Can you provide a new deb file ?

zandbelt commented 10 years ago

released v1.5: https://github.com/pingidentity/mod_auth_openidc/releases/tag/v1.5