Using "OIDCPreservePost On" makes initial unauthenticated post request leak to application

[patrikbjork]

When I make an unauthenticated (post) request to my application all seems to work fine. I'm redirected to IDP login page, enter credentials and the post is preserved correctly. However, I can see in my application logs that a post request is made on my initial request. The leaked request doesn't have any post parameters, but it still is a post request. This can't be an intended behavior, is it? Should I file an issue?

[zandbelt]

if application logs refers to the Apache logs, then that is the intended behaviour; the initial POST is intercepted, the authentication flow is done and then a Javsacript autosubmit page is presented to the browser; in the logs it would see

POST /app - 200            (the initial post responded to with a Javascript page that saves data and redirects to OP)
GET  /redirect_uri - 200   (the authentication response coming in)
POST /app - 200            (the autosubmitted POST request, resubmitting data)

[zandbelt]

No, I mean the logs in Tomcat in my case. I use ProxyPass with AJP it that matters.

I guess it is an AJP question then; logic says that propagate and intercept are mutually exclusive for the same request

[patrikbjork]

So you're saying it is correct behavior? Or do you have any ideas for finding a solution? Should I try proxying with http instead?

[patrikbjork]

The behavior is the same with http proxying. I don't see the same behavior without "OIDCPreservePost On" and it is only when I use post instead of get.

[zandbelt]

if you can confirm this with the latest version of the module I'll investigate

[patrikbjork]

Installing latest release from deb package solved it 😀 I didn't mention I was using the Ubuntu focal version before (2.4.1-1). Thanks for pointing me in the right direction!