OIDCUnAutzAction - iframe/frame auto-detection mechanism override

[spiazzi]

We're using mod_auth_openidc to protect different web applications in a single Apache VirtualHost; each application is published with a specific context-root and requires (through Require directive) a specific claim value in "id_token" in order to authorize the access.

Some of the webapps use iframes / framesets where other applications are loaded, so a solid SSO mechanisms between applications is required.

We're trying to implement a smooth SSO flow through the iframes, but we are facing 2 main issues:

1. UnAuth user: if user tries to refresh an iframe / frame after the mod_auth_openidc session is expired, a 401 error is returned instead of starting the OIDC authentication processas stated in the conf

   mod_auth_openidc/auth_openidc.conf

   Line 929 in 109c841

   # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \

   , we managed to override the iframe/frame auto-detection mechanism by using the specific argument provided by "OIDCUnAuthAction" directive -> SOLVED -> OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) || || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'frame' && %{HTTP:Sec-Fetch-Dest} != 'document') || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) && ( %{HTTP_ACCEPT} !~ m#application/xhtml+xml# ) && ( %{HTTP_ACCEPT} !~ m#*/*# ) )"
2. UnAutz user: we're trying to handle the authorization process through an OIDC "step-up" flow, but again, if the user tries to load in the iframe an application that is not already auhtorized to, a 401 error is returned instead of starting the OIDC step-up authorization process -> we wanted to use the same approach by overriding the iframe/frame auto-detection mechanism, but (reading the docs) we could not find the right way to specify the same override logic for OIDCUnAutzAction -> ISSUE PENDING

Is there a way to specifiy the iframe/frame auto-detection mechanism override for OIDCUnAutzAction like we did for the OIDCUnAuthAction?

If not already, can this possibility be added to the OIDCUnAutzAction too?

[zandbelt]

iframe based SSO is deemed insecure, hence the default settings and there are no plans to deviate from that; one should rather aim to handle authentication at the toplevel