integrate liboauth2 to Httpd/ Apache 2.X

[walidbenhammouda]

Hello,
as many of others I am looking to validate a bearer token provided by an internal separate OP (so I am sure I am authenticated already), via HTTPD / Apache in order to call a REST API running somewhere behind that OP.

since the OAauth2 is suppressed from the last version of auth_openidc I am wondering what kind of config to put into httpd.conf? I have the introspection URL and the token generated but I don't know how to set them:

a partial config of my httpd-API.conf that is not working when I call my API using GET

OAuth2TokenVerify introspect https://introspect-url/validatetoken introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=API&client_secret=XXXXXX
<Location /api/1.0/>
Authtype oauth20
Require valid-user
ProxyPass http://localhost:8282/ma/
ProxyPassReverse http://localhost:8282/ma/

and I receive: No authentication done but request not allowed without authentication....Authentication not configured?

[auth_openidc:error] [pid 106696] [client IP-X.X.X.X:50346] oidc_oauth_validate_jwt_access_token: could not parse JWT from access_token: [src/jose.c:755: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 787]

could you please help me?
let me know what other information needed.

Appreciate your help

[zandbelt]

I see the documentation is lacking, the AuthType oauth20 currently triggers mod_auth_openidc.
Setting:

AuthType oauth2

(i.e. instead of oauth20) on that path should trigger mod_oauth2.

[walidbenhammouda]

thanks @zandbelt . I am seeing no error now but I am still having 401.
may be I need to add OAuth2AcceptTokenIn directive, something is missing here, how does it know that my token passed in the access_token form name?

[zandbelt]

Please set LogLevel to debug and paste the log here or send it to me directly.

[walidbenhammouda]

sorry for the delay, I was looking around the C code but I can't find the way the cx->hdr is built.
I am using:
liboauth2-1.1.1-1.el7.x86_64
liboauth2-apache-1.1.1-1.el7.x86_64
below are the logs:
the call is from Postman, and you can see that the strcuture hdr=[] is missing an extra mandatory header that I am sending in addition of the Bearer:
_oauth2_http_request_hdr_in_set_add_sanitized: X-IdP-API-Key: sec_APIKey
this above header is catched but not sent to the url for authentication so I got the 403 error:
hdr=[ Content-Type=application/x-www-form-urlencoded ] cookie=[ ] ]

for more information PFA the logs:

ma-logs.txt

Thanks again for the help

[zandbelt]

apparently the introspection call to https://ih-rdy.prod.local/xpressng/plainrest/idpcld1uat/idp/authenticatedUser fails; looks like the endpoint is not properly handing the call, or the wrong credentials are configured

[walidbenhammouda]

Yes because I need an additional header besides the bearer token. How can I tell the Oauth2 to take the extra header x-IDP-API-Key as part of the authentication? This is mandatory.

[zandbelt]

there's no way to do that and it would be something that is outside of the introspection spec itself

[walidbenhammouda]

Exactly! And that what’s I am keep telling the team responsible for this and no body knows the answer.
Is it at least a way to use openidc the old version I mean to use oauth20 as I am seeing I can use the headers as part as of the introspect I believe right or any thing that might help to send additional headers to let the system know that I am authenticated?
Because I don’t have a choice but stick to those internal guys.

Appreciate the help as always

[zandbelt]

I'm sorry: I think it is a reasonable feature request for liboauth2 but I have no plans to implement this myself, unless under a commercial agreement (after all it is a proprietary token endpoint authentication mechanism); feel free to add this as an enhancement issue/request here https://github.com/zmartzone/liboauth2/issues

[walidbenhammouda]

Understood and thanks again for the help!I