Triggering a call to OIDC protected endpoint from a service.

[AnirudhPokala]

Hi Team
We are using mod_auth_openidc, to enable OIDC support with Auth0 for keystone. The OIDC flow works fine when we trigger a call from Browser to OIDC protected endpoint in apache. i.e

1. It redirects to auth0 login page (request generated by mod_auth_openidc using OIDC parameters)
2. After successful google login, we get response to OIDCRedirectURI with ID_TOKEN
3. mod_auth_openidc parses the claims and setting as headers.

But is there a way to make sure, we initiate the OIDC call to protected endpoint from a service. i.e the service already has an ID_TOKEN of user which we get after successful auth0 login. Because we already has a service with takes care of login using auth0 google. We don't wanted to make it redundant again initiating the call from mod_auth_openidc.

So we want to do a POST call to our OIDC protected endpoint with ID_TOKEN and make sure mod_auth_openidc parses the claims and set the values as it does in UI initiated case.

But when we tried to trigger a POST call from postman to OIDC protected endpoint, we got a Bad Request, after debugging the logs its found that its failing because of no mod_auth_state cookie.

Logs for same:

[Mon Apr 11 11:57:42.125097 2022] [authz_core:debug] [pid 13241:tid 140661570635520] mod_authz_core.c(809): [client 127.0.0.1:41838] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Apr 11 11:57:42.125128 2022] [authz_core:debug] [pid 13241:tid 140661570635520] mod_authz_core.c(809): [client 127.0.0.1:41838] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Apr 11 11:57:42.125139 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/mod_auth_openidc.c(3959): [client 127.0.0.1:41838] oidc_check_user_id: incoming request: "/keystone/v3/OS-FEDERATION/identity_providers/auth0/protocols/openid/auth?(null)", ap_is_initial_req(r)=1
[Mon Apr 11 11:57:42.125151 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1232): [client 127.0.0.1:41838] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Mon Apr 11 11:57:42.125157 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1394): [client 127.0.0.1:41838] oidc_util_request_matches_url: comparing "/keystone/v3/OS-FEDERATION/identity_providers/auth0/protocols/openid/auth"=="/keystone/v3/OS-FEDERATION/identity_providers/auth0/protocols/openid/auth"
[Mon Apr 11 11:57:42.125163 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/mod_auth_openidc.c(2041): [client 127.0.0.1:41838] oidc_handle_post_authorization_response: enter
[Mon Apr 11 11:57:42.125168 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(2479): [client 127.0.0.1:41838] oidc_util_hdr_in_get: Content-Type=application/x-www-form-urlencoded
[Mon Apr 11 11:57:42.125220 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: response_mode=fragment
[Mon Apr 11 11:57:42.125242 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: access_token=<ACCESS-TOKEN-VALUE>
[Mon Apr 11 11:57:42.125252 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: scope=openid+profile+email
[Mon Apr 11 11:57:42.125260 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: expires_in=7200
[Mon Apr 11 11:57:42.125266 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: token_type=Bearer
[Mon Apr 11 11:57:42.125274 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: state=TnbajioKb-2KOzcWRXoUZOxD_Lg
[Mon Apr 11 11:57:42.125290 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1718): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: read: id_token=<ID-TOKEN-VALUE>
[Mon Apr 11 11:57:42.125305 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1723): [client 127.0.0.1:41838] oidc_util_read_form_encoded_params: parsed: 1752 bytes into 7 elements
[Mon Apr 11 11:57:42.125310 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/mod_auth_openidc.c(1896): [client 127.0.0.1:41838] oidc_handle_authorization_response: enter, response_mode=fragment
[Mon Apr 11 11:57:42.125314 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/mod_auth_openidc.c(1525): [client 127.0.0.1:41838] oidc_authorization_response_match_state: enter (state=TnbajioKb-2KOzcWRXoUZOxD_Lg)
[Mon Apr 11 11:57:42.125318 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/mod_auth_openidc.c(616): [client 127.0.0.1:41838] oidc_restore_proto_state: enter
[Mon Apr 11 11:57:42.125323 2022] [auth_openidc:debug] [pid 13241:tid 140661570635520] src/util.c(1232): [client 127.0.0.1:41838] oidc_util_get_cookie: returning "mod_auth_openidc_state_TnbajioKb-2KOzcWRXoUZOxD_Lg" = <null>
[Mon Apr 11 11:57:42.125327 2022] [auth_openidc:error] [pid 13241:tid 140661570635520] [client 127.0.0.1:41838] oidc_restore_proto_state: no "mod_auth_openidc_state_TnbajioKb-2KOzcWRXoUZOxD_Lg" state cookie found: check domain and samesite cookie settings
[Mon Apr 11 11:57:42.125331 2022] [auth_openidc:error] [pid 13241:tid 140661570635520] [client 127.0.0.1:41838] oidc_authorization_response_match_state: unable to restore state
[Mon Apr 11 11:57:42.125335 2022] [auth_openidc:error] [pid 13241:tid 140661570635520] [client 127.0.0.1:41838] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...

@zandbelt can you kindly once look into this.

Thanks

[zandbelt]

you shouldn't be looking to use an OIDC flow here but rather an OAuth 2.0 RS flow and use the access token, see: https://github.com/zmartzone/mod_auth_openidc/wiki/OAuth-2.0-Resource-Server