VHost Authentication with FusionAuth behind ReversProxy (Apache2) and mod_auth_openidc doesn't

[ZeroEnna00]

Hi all,

I try to set up a small amound of domains behind an authentication. I usually working as developer with coding and only less with with infrastructure. So unfortunatly this is that's why I'm not so good at it.

I would like to set up the following setup:

different subdomains for different purpose:

• my-domain.com -> startpage - static HTML-Page, no authentication necessary
• auth.my-domain.com -> idp - currently FusionAuth
• app1.my-domain.com -> repository with gitea installation
• app2.my-domain.com -> thrid-party application without an authentication / login function

All (sub-)domains are setup with an working SSL certificate (in the 000-default.conf of the apache configuration) and are only accessible with https. All subdomains routed with an vhost configuration in /etc/apache/site-available (linked to site-enabled) and are redirected service that are only listen on localhost.

I would like to use FusionAuth as an idp and OAuth2 provider to secure all sub-domains.
The SSO with Gitea (app1.my-domain.com) was very easy because gitea have an own authentication plugin and I only have to set up the clientId, clientSecret and the MetadataURL -> this works well with FusionAuth.

Behinde the other sub-domain (app2.my-domain.com) is a third party tool (listen at http://locahost:5421) without an authentication / login function. Because of this I try to use the mod_auth_openidc module in the Apache2 vhost-configuration to secure this sub-domain.

Currenty I have this vhost file:

<VirtualHost app2.my-domain.com:80>
        ServerName app2.my-domain.com

        ErrorLog ${APACHE_LOG_DIR}/vhost_app2.my-domain.com-non-ssl_error.log
        CustomLog ${APACHE_LOG_DIR}/vhost_app2.my-domain.com_access-non-ssl.log combined

        Redirect permanent / https://app2.my-domain.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost app2.my-domain.com:443>
        ServerName app2.my-domain.com

        LogLevel debug
        ErrorLog ${APACHE_LOG_DIR}/vhost_app2.my-domain.com_error.log
        CustomLog ${APACHE_LOG_DIR}/vhost_app2.my-domain.com_access.log combined

        RequestHeader set X-Forwarded-Proto "https" early
        RequestHeader set Forwarded-Proto "https" early
        ProxyPreserveHost off

        OIDCProviderMetadataURL https://auth.my-domain.com/.well-known/openid-configuration/3bb14b22-5a1a-11ec-abe7-0050563a04b7/
        OIDCClientID b44d4aa7-f415-4037-9677-d2078e96e139
        OIDCClientSecret <FustionAuth-secret>
        OIDCDefaultURL https://app2.my-domain.com
        OIDCRedirectURI /user/oauth2/app2/callback
        OIDCResponseType id_token
        OIDCResponseMode form_post
        OIDCScope "openid profile email"
        OIDCSSLValidateServer Off
        OIDCOAuthIntrospectionTokenParamName access_token
        OIDCCryptoPassphrase <some-passphrase>

        OIDCOAuthVerifyCertFiles <FustionAuth-ApplicationId>#/etc/ssl/certs/my-domain.com.pem

        <Location "/">
                AuthType openid-connect
                Require valid-user
        </Location>
        ProxyPass / http://localhost:5421/
        ProxyPassReverse / http://localhost:5421/

</VirtualHost>
</IfModule>

The current configuration do:

• I open the URL https://app2.my-domain.com/ in my Browser
• the apache try to ensure for the login -> I'am not logged in yet and I will be redirect to an login-page from FusionAuth at
  https://auth.my-domain.com/oauth2/authorize?response_type=id_token&scope=openid%20profile%20email&client_id=b44d4aa7-f415-4037-9677-d2078e96e139&state=ibkVv3_-RP7OpOI8snTFyh7fx8w&redirect_uri=https%3A%2F%2Fapp2.my-domain.com%2Fuser%2Foauth2%2Fapp2%2Fcallback&nonce=bioRtpk4hzm59D1SNgKlf0KAJvGMiofmFsxLx0uuvd0&response_mode=form_post
• I can authenticate myself successfuly with the creadentials from FusionAuth
• After the Login in FusionAuth I will be redirected to https://app2.my-domain.com/user/oauth2/app2/callback
• this page will only show me an error

  Error:
  OpenID Connect Provider error: Error in handling response type.

I have tried to find the failture for the the Error OpenID Connect Provider error: Error in handling response type. and the Error in the log

[Sun Dec 12 20:35:14.272516 2021] [auth_openidc:debug] [pid 385058:tid 139667409155840] src/cache/common.c(665): [client <my-ip>:51546] oidc_cache_set: successfully stored 18 bytes in shm cache backend for key https://auth.my-domain.com/.well-known/jwks.json, referer: https://auth.my-domain.com/
[Sun Dec 12 20:35:14.272527 2021] [auth_openidc:debug] [pid 385058:tid 139667409155840] src/proto.c(1391): [client <my-ip>:51546] oidc_proto_get_key_from_jwks: search for kid "b44d4aa7-f415-4037-9677-d2078e96e139" or thumbprint x5t "(null)", referer: https://auth.my-domain.com/
[Sun Dec 12 20:35:14.272538 2021] [auth_openidc:debug] [pid 385058:tid 139667409155840] src/proto.c(1522): [client <my-ip>:51546] oidc_proto_get_keys_from_jwks_uri: returning 0 key(s) obtained from the (possibly cached) JWKs URI, referer: https://auth.my-domain.com/
[Sun Dec 12 20:35:14.272552 2021] [auth_openidc:error] [pid 385058:tid 139667409155840] [client <my-ip>:51546] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:931: oidc_jwt_verify]: could not find key with kid: b44d4aa7-f415-4037-9677-d2078e96e139, referer: https://auth.my-domain.com/
[Sun Dec 12 20:35:14.272560 2021] [auth_openidc:error] [pid 385058:tid 139667409155840] [client <my-ip>:51546] oidc_proto_parse_idtoken: id_token signature could not be validated, aborting, referer: https://auth.my-domain.com/

I tired many different configurations in the last days but nothing will work.

• Could someone help me with this error
• or is this maybe the wrong way to to handle an authentication for an thirtparty tool (that didnt have an authentication)?

Thanks for the Help
Zero

[ZeroEnna00]

I have found the a solution for this problem after several debugging and minimal examples trial-and-error sessions.

The configuration in apache vhost file was correct and worked well. But after login on the authentication server the apache tries to validate the returned JWT, but this fails. Because there was result in the JWK Endpoint to validate the key within the JWT.

I solved the problem with:

• enable the JWT on FusionAuth (idp)
• set the issuer for the JWT to my-dpomain.com
• set the JWT security encryption to an asymetric key in FusionAuth - I needed to generate an key before
  • the reason for this is, that the FusionAuth create only symmetric keys in default and that symmetric keys are not listed in the https://auth.my-domain.com/.well-known/jwks.json endpoint for validation.
  • in that case there are not keys for an possible validation and apache could not validate the key within the JWT.

After the few points the login process and the redirect works very well.

That was the source that give my the final for my solution:
https://fusionauth.io/docs/v1/tech/oauth/endpoints/#json-web-key-set-jwks

I hope could help others with my answer.

Zero