Replies: 1 comment 8 replies
-
|
you'll have to use |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Thank you. We had been using mod_openidc and when we switched we did not notice that mod_oauth2 uses a different directive. We are now very close. We are using after the logs show that it confirms the token we receive the following: It seems the bearer token needs to have more info in it. Is that correct? Is there any way around that or is there a configuration with the bearer token provider that we should request? Again, thanks so much for your help. |
Beta Was this translation helpful? Give feedback.
-
|
the module looks for the OAuth2TargetPass remote_user_claim=<claim>where |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! That did it. I will write up a blog post on how to get this running with AD-FS. |
Beta Was this translation helpful? Give feedback.
-
|
@ainielse hi! please share link to this blog. i'll be really appreciated . |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am hoping this community can help with this issue. I have tried many changes, but I continue to receive the following error:
oidc_proto_jwt_verify: "jwks_uri" is not set, signature validation will only be performed against statically configured keys
I have set up AD-FS with a Server and Web API.
I have set up mod_auth_openidc with
OIDCProviderMetadataURL https://my-adfs/adfs/.well-known/openid-configuration
OIDCClientID my-client-id
OIDCClientSecret my-client-secret
OIDCRedirectURI https://myserver/redirect_uri
OIDCCryptoPassphrase myPassPhrase
...
<Location /mypath>
...
AuthType oauth20
Require valid-user
LogLevel debug
...
I'm able to get a bearer token from AD-FS. When I then attempt to access a resource under /mypath, I get the following errors:
[Mon Jun 14 12:11:30.866476 2021] [auth_openidc:debug] [pid 66771] src/mod_auth_openidc.c(2585): [client 10.8.225.26:64245] oidc_check_user_id: incoming request: "/apex/okr_uat/aptest01/aptest01?(null)", ap_is_initial_req(r)=1
[Mon Jun 14 12:11:30.866489 2021] [auth_openidc:debug] [pid 66771] src/util.c(811): [client 10.8.225.26:64245] oidc_util_request_matches_url: comparing "/apex/okr_uat/aptest01/aptest01"=="/apex/redirect_uri"
[Mon Jun 14 12:11:30.866506 2021] [auth_openidc:debug] [pid 66771] src/oauth.c(128): [client 10.8.225.26:64245] oidc_oauth_get_bearer_token: authorization header found
[Mon Jun 14 12:11:30.866521 2021] [auth_openidc:debug] [pid 66771] src/oauth.c(191): [client 10.8.225.26:64245] oidc_oauth_get_bearer_token: bearer token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlpsZElUS01FODBzbUhzQ2NfYWw4TXlwVC1ubyIsImtpZCI6IlpsZElUS01FODBzbUhzQ2NfYWw4TXlwVC1ubyJ9.eyJhdWQ...mKwcn6aEChQ5Nu5u7ah5N2EZk_OPs5SLUJvc-yVF-VkRmZ55WFeVRGzwtMd2652JLBaBU0xCYpgiTBzyz0EaIQDzjJjRlSmOe1Lci2PQ6Z3Q
[Mon Jun 14 12:11:30.866611 2021] [auth_openidc:debug] [pid 66771] src/oauth.c(459): [client 10.8.225.26:64245] oidc_oauth_validate_jwt_access_token: successfully parsed JWT with header: {"typ":"JWT","alg":"RS256","x5t":"ZldITKME80smHsCc_al8MypT-no","kid":"ZldITKME80smHsCc_al8MypT-no"}
[Mon Jun 14 12:11:30.866626 2021] [auth_openidc:debug] [pid 66771] src/oauth.c(474): [client 10.8.225.26:64245] oidc_oauth_validate_jwt_access_token: verify JWT against 0 statically configured public keys and 0 shared keys, with JWKs URI set to (null)
[Mon Jun 14 12:11:30.866633 2021] [auth_openidc:debug] [pid 66771] src/proto.c(744): [client 10.8.225.26:64245] oidc_proto_jwt_verify: "jwks_uri" is not set, signature validation will only be performed against statically configured keys
[Mon Jun 14 12:11:30.866645 2021] [auth_openidc:error] [pid 66771] [client 10.8.225.26:64245] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose/apr_jws.c:566: apr_jws_verify]: could not find key with kid: ZldITKME80smHsCc_al8MypT-no\n
[Mon Jun 14 12:11:30.866648 2021] [auth_openidc:error] [pid 66771] [client 10.8.225.26:64245] oidc_oauth_validate_jwt_access_token: JWT access token signature could not be validated, aborting
https://my-adfs/adfs/.well-known/openid-configuration contains
{
"issuer": "https://my-adfs/adfs",
"authorization_endpoint": "https://my-adfs/adfs/oauth2/authorize/",
"token_endpoint": "https://my-adfs/adfs/oauth2/token/",
"jwks_uri": "https://my-adfs/adfs/discovery/keys",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"private_key_jwt",
"windows_client_authentication"
],
...
I have also tried to manually set
OIDCProviderJwksUri https://my-adfs/adfs/discovery/keys
The URL https://my-adfs/adfs/discovery/keys has the following:
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"alg": "RS256",
"kid": "ZldITKME80smHsCc_al8MypT-no",
"x5t": "ZldITKME80smHsCc_al8MypT-no",
"n": "oLpzVeOYlN3BDS9ZzJrySs6i9A6PjepESa45g-JiOlGvtUR7khrh0awpYJfp5nQKdA_bY3xvkDmknqkMRWCNUvwzn0WfnvgXJ_gUTgvRUu45Vvup7s3dpr3vZuxX1xjwfmzrGRck8TwA_n8ZzrdnqdhmFv9wdu2f5wgQHe4H-sFpVZ3OFcbISBYHN_giZFpNhzfiqcDGHdBLl_6xPrsKbyaHGnPEUaVnFKa4KbuGg28ySv3H2Ve7liL1jMOeGtukX1wZ7IogjSHyLqFvQwIpOlmJ6EXXW58eIfUROrITkEAzxKeMvo1s682f77jxQzHWg8nRndpFofjH7NJL0EwdtQ",
"e": "AQAB",
"x5c": [
"MIIC5DCCAcygAwIBAgIQV8xMxqzg36BMpXnqcnfxejANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBhZGZzLmRyd2hvbGRpbmdzLmNvbTAeFw0xNjA1MTcxODQ5MzNaFw0yNjA1MTUxODQ5MzNaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIGFkZnMuZHJ3aG9sZGluZ3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoLpzVeOYlN3BDS9ZzJrySs6i9A6PjepESa45g+JiOlGvtUR7khrh0awpYJfp5nQKdA/bY3xvkDmknqkMRWCNUvwzn0WfnvgXJ/gUTgvRUu45Vvup7s3dpr3vZuxX1xjwfmzrGRck8TwA/n8ZzrdnqdhmFv9wdu2f5wgQHe4H+sFpVZ3OFcbISBYHN/giZFpNhzfiqcDGHdBLl/6xPrsKbyaHGnPEUaVnFKa4KbuGg28ySv3H2Ve7liL1jMOeGtukX1wZ7IogjSHyLqFvQwIpOlmJ6EXXW58eIfUROrITkEAzxKeMvo1s682f77jxQzHWg8nRndpFofjH7NJL0EwdtQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCUprqEC2AKG69UsdUSxQ+bWfl7yzFTj92gV7qw0zprq9EZt20aBLJQjc3U6/lrZ7kzLwojLTGpYv5VRh0mRYJ5I85pUASWYJ4bH9p4CoFjIo5wNXmiB3FkTl8TT8xrc6kEWbeU/pv7PNzkKtreZZu5ezbxz1N2SrGqsIKZuUpC4vlAsKpROZHNbv9g1fCns8vTKcbQd1BM6GdelSBFEeAnDFQum7NZ+aiS8GlT6XEp0u5pgKL/AxowgjCtvlAiX4tFa8rhFqGUxkgNNxDZox113rhQY+3BsSGMQ/O0Xvtdn9wGitttv9h+/3AwqsodS6YUUYe+CHGdxH8/iCwMRso8"
]
}
]
}
Beta Was this translation helpful? Give feedback.
All reactions