search

OpenIDC / mod_oauth2

OAuth 2.x Resource Server module for the Apache HTTPd web server
Apache License 2.0
49 stars 14 forks source link

Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope #42

Closed ErmakovDmitriy closed 1 year ago

ErmakovDmitriy commented 1 year ago

We use Apache 2.4, mod_oauth 3.3.0.

In the Apache configuration we have access control configuration as below:

# Any of the audiences will be allowed.
<RequireAny>
  Require oauth2_claim 'aud:kubepie'
  Require oauth2_claim 'aud:jupyterhub'
  Require oauth2_claim 'aud:jupyterhub-review'
</RequireAny>

When we get access to the protected directory (Apache autoindex) using a valid bearer token, we get access but the response contains plenty of header as below:

< www-authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."

Corresponding debug logs:

[Fri Jan 20 15:21:11.548245 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548263 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:kubepie
[Fri Jan 20 15:21:11.548266 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548268 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548287 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=kubepie, key=aud
...
[Fri Jan 20 15:21:11.548319 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(366): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: enter
[Fri Jan 20 15:21:11.548322 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(458): [client 192.168.20.17:0] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Fri Jan 20 15:21:11.548325 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(390): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: leave
[Fri Jan 20 15:21:11.548327 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(232): [client 192.168.20.17:0] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Fri Jan 20 15:21:11.548330 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548331 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:kubepie': denied
[Fri Jan 20 15:21:11.548334 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548353 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:jupyterhub
[Fri Jan 20 15:21:11.548355 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548357 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548365 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=jupyterhub, key=aud
[Fri Jan 20 15:21:11.548366 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "sub"
...
[Fri Jan 20 15:21:11.548398 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(366): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: enter
[Fri Jan 20 15:21:11.548400 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(458): [client 192.168.20.17:0] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Fri Jan 20 15:21:11.548402 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(390): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: leave
[Fri Jan 20 15:21:11.548404 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(232): [client 192.168.20.17:0] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Fri Jan 20 15:21:11.548407 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548408 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:jupyterhub': denied
[Fri Jan 20 15:21:11.548410 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548428 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:jupyterhub-review
[Fri Jan 20 15:21:11.548431 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548433 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548441 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=jupyterhub-review, key=aud
[Fri Jan 20 15:21:11.548443 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1029): [client 192.168.20.17:0] oauth2_apache_authorize: require claim/expr 'aud:jupyterhub-review' matched
[Fri Jan 20 15:21:11.548446 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548448 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:jupyterhub-review': granted
[Fri Jan 20 15:21:11.548450 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAny>: granted
[Fri Jan 20 15:21:11.548451 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAll>: granted
[Fri Jan 20 15:21:11.548453 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAny>: granted

It seems that this issue might have been fixed in https://github.com/zmartzone/mod_auth_openidc/commit/8ed00cc8baec964e8730e8069fd748437584ab4c but was not propagated to the OAuth2 module.

Could you, please, take a look at it and fix or recommend a solution for us?

/cc @manfuin

zandbelt commented 1 year ago

that fix was propagated, but suffers from an error here: https://github.com/zmartzone/liboauth2/blob/v1.4.5.2/src/server/apache.c#L459 instead of adding a header, it should overwrite the existing one, so the single header will correctly be removed here: https://github.com/zmartzone/mod_oauth2/blob/v3.3.0/src/mod_oauth2.c#L230-L231

ErmakovDmitriy commented 1 year ago

Thank you for the fix! =)

For now, I get only 1 line with the error in the response (< www-authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required.") which does not break our HTTP load balancer.

I might have done something wrong but am I supposed to get even the one line despite the fact that the access is allowed? Anyway, one line should not be a problem for us, I think.

zandbelt commented 1 year ago

hm, I thought it was quick to fix; I'll properly reproduce and fix it now, it is not supposed to be there when the overall access result is "allowed"

zandbelt commented 1 year ago

I had to revert the patch from liboauth2 1.4.5.3 (pulled now) in 1.4.5.4 and released mod_oauth2 3.3.1 that solves this issue