search

OpenIDC / mod_auth_openidc

OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
Apache License 2.0
990 stars 327 forks source link

OIDCRemoteUserClaim match and replace not working on some claims #915

Closed dBucik closed 2 years ago

dBucik commented 2 years ago

Hey all,

I've been trying to debug why my REMOTE_USER is not set, and it seems that replacing using regexes works only on some claims. Imagine, that the OP releases these claims:

name: "Dominik František Bučík"
preferred_username: "dbucik"

When I try to set the REMOTE_USER using the following, it works for the name, but does not for preferred_username:

    OIDCRemoteUserClaim      name ^(.*)$ $1@test.com
    OIDCRemoteUserClaim      preferred_username ^(.*)$ $1@test.com

In the case of the preferred_username, I get these messages in debug log:

[auth_openidc:error] [pid ...] [client...] oidc_get_remote_user: oidc_util_regexp_substitute failed: unknown error could not match string [dbucik] using pattern [^(.*)$] and replace matches in [$1@test.com], referer: ...
[auth_openidc:error] [pid ...] [client...] oidc_set_request_user: OIDCRemoteUserClaimis set to "preferred_username", but could not set the remote user based on the requested claim "preferred_username" and the available claims for the user, referer: ...
[auth_openidc:error] [pid ...] [client...] oidc_handle_authorization_response: remote user could not be set, referer: ...

Full configuration of VirtualHost:

    OIDCProviderMetadataURL   "https://my-op.org/.well-known/openid-configuration"
    OIDCClientID              "client_id"
    OIDCClientSecret          "secret"
    OIDCRedirectURI           "/oauth2/callback"
    OIDCScope                 "openid profile email"
    OIDCCryptoPassphrase      "secret"
    OIDCCookiePath            "/"
#    OIDCRemoteUserClaim       preferred_username ^(.*)$ $1@test.com
    OIDCRemoteUserClaim       name ^(.*)$ $1@test.com

    <Location /oauth2/callback>
        #non-existent location for returning from OIDC server
        AuthType openid-connect
        Require valid-user
    </Location>
    <Location />
        AuthType openid-connect
        Require valid-user
        ProxyPass        uwsgi://localhost:8083/
        ProxyPassReverse uwsgi://loclahost:8083/
    </Location>

I am running the following versions:

OS: Debian 10 (buster)
apache2                                            2.4.38-3+deb10u7
libapache2-mod-auth-openidc           2.4.11.3-1~buster+1

Any idea what might be going on?