-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default header prefix from "OIDC_CLAIM_" to "Oidc-Claim-" #707
Comments
this dropping is not about headers but about environment variables specifically in CGI environments, so I don't think it justifies changing the default -which in the majority cases is headers, not environment variables |
Thanks for prompt attention to this, but I am baffled at your mention of CGI environments. I'm using ProxyPass and ProxyPassReverse configuration options to pass REST requests on to a running python app, not having Apache httpd launch a Perl or PHP script to process a request. And I'm not asking to change mod-auth-openidc on environment variables, only on HTTP request headers. But hey, the note when I opened this issue said "all issues will be closed" and by gosh, it sure was. |
FYI there is now a setting OIDCClaimPrefix, so you can set for example
Of course, that doesn't help you if the claim you're interested in also contains an underscore, like
Aside: gunicorn 22.0 recently decided to drop headers containing underscore by default, which causes problems if Apache+mod_auth_openidc is in front, although there is a setting to override this behaviour ( |
Please consider this improvement request to use a different default prefix on headers set by mod-auth-openidc.
I understand that Apache HTTPD as of version 2.4 silently drops headers with underscore characters. The default prefix used by mod-auth-openidc is "OIDC_CLAIM_". With this default, requests proxied to another app arrive with no OIDC claim headers. The workaround is to change the prefix using a config line, for example
OIDCClaimPrefix Oidc-Claim-
, then the proxied requests have the expected claims in headers.Also FWIW, Apache HTTPD 2.4 coerces header names to initial cap, rest lower case. I tried
OIDC-CLAIM
,oIDC-cLAIM-
and other variations, but every single one arrives asOidc-Claim-
. For example, with the prefix mentioned above in place, the user claim arrives asOidc-Claim-Sub
.Thanks.
The text was updated successfully, but these errors were encountered: