Does the cookie based on domain level ? why my configuration did not work

[sarins]

# Backoffice virtual hosts, with OIDC authentication.
<VirtualHost *:443>
    ServerName backoffice.example.work
    SSLEngine on
    SSLCertificateFile "/opt/cert/example.work/tls.crt"
    SSLCertificateKeyFile "/opt/cert/example.work/tls.key"
    SSLCertificateChainFile "/opt/cert/example.work/ca.crt"

    OIDCCryptoPassphrase dead_code
    OIDCRedirectURI https://backoffice.example.work/redirect_uri
    OIDCOAuthSSLValidateServer Off
    OIDCOAuthVerifyJwksUri https://keycloak.example.work/realms/example/protocol/openid-connect/certs
    OIDCIDTokenIatSlack 3600
    OIDCCookieDomain example.work
    OIDCXForwardedHeaders X-Forwarded-Host

    <Location /redirect_uri>
        AuthType openid-connect
        Require claim client_id:ac_oic_client
    </Location>
    <Location />
       LogLevel debug
       AuthType auth-openidc
       #Require valid-user
       #Require claim client_id:bui
       Require claim aud:bui
       RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
       #ProxyPreserveHost on
       ProxyPass "http://host.docker.internal:8101/"
       ProxyPassReverse "http://host.docker.internal:8101/"
    </Location>
</VirtualHost>
<VirtualHost *:443>
    LogLevel debug
    ServerName bui.example.work
    SSLEngine on
    SSLCertificateFile "/opt/cert/example.work/tls.crt"
    SSLCertificateKeyFile "/opt/cert/example.work/tls.key"
    SSLCertificateChainFile "/opt/cert/example.work/ca.crt"

    OIDCProviderMetadataURL https://keycloak.example.work/realms/example/.well-known/openid-configuration
    OIDCClientID bui
    OIDCClientSecret jE18cvOx3ircV048F67gq0ifMgWdayem
    # See https://github.com/Reposoft/openidc-keycloak-test/issues/7
    OIDCProviderTokenEndpointAuth client_secret_basic
    OIDCCryptoPassphrase dead_code
    OIDCRedirectURI https://bui.example.work/redirect_uri?info=json
    OIDCRefreshAccessTokenBeforeExpiry 10
    OIDCInfoHook iat access_token access_token_expires id_token id_token_hint userinfo refresh_token exp timeout remote_user session
    OIDCRemoteUserClaim preferred_username
    OIDCScope "openid email"
    OIDCCookieDomain example.work
    OIDCXForwardedHeaders X-Forwarded-Host

    <Location /redirect_uri>
       AuthType openid-connect
       Require claim client_id:ac_oic_client
    </Location>
    <Location />
       AuthType openid-connect
       Require valid-user
       #ProxyPreserveHost on
       ProxyPass "http://host.docker.internal:8001/"
       ProxyPassReverse "http://host.docker.internal:8001/"
    </Location>
</VirtualHost>

Above are my configurations for 2 virtual hosts.

The SPA application which name is bui.example.work, which worked well, I can see auth informations in debug log of apache console.

But the another one can not get the valid user from shared cookie, which based on same OIDCCookieDomain example.work (If my understanding is correct)

below are apache log when i try to access the backend API via mod_auth_openidc configuration.

[Thu Nov 23 00:00:54.706436 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/mod_auth_openidc.c(4589): [client 192.168.65.1:37797] oidc_authz_checker: enter: (r->user=(null)) require_args="aud:bui", referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706483 2023] [authz_core:debug] [pid 2744:tid 139685598840512] mod_authz_core.c(815): [client 192.168.65.1:37797] AH01626: authorization result of Require claim aud:bui: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706488 2023] [authz_core:debug] [pid 2744:tid 139685598840512] mod_authz_core.c(815): [client 192.168.65.1:37797] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706491 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/mod_auth_openidc.c(4451): [client 192.168.65.1:37797] oidc_check_user_id: incoming request: "/agency/manage/page?page=1&per_page=10", ap_is_initial_req(r)=1, referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706495 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/oauth.c(197): [client 192.168.65.1:37797] oidc_oauth_get_bearer_token: accept_token_in=0, referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706498 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/oauth.c(287): [client 192.168.65.1:37797] oidc_oauth_get_bearer_token: no bearer token found in the allowed methods: [], referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706501 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(1434): [client 192.168.65.1:37797] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706504 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(1597): [client 192.168.65.1:37797] oidc_util_request_matches_url: comparing "/agency/manage/page"=="/redirect_uri", referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706506 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(2791): [client 192.168.65.1:37797] oidc_util_hdr_in_get: Sec-Fetch-Mode=cors, referer: https://bui.rocksolid.work/
[Thu Nov 23 00:00:54.706508 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(2791): [client 192.168.65.1:37797] oidc_util_hdr_in_get: Sec-Fetch-Mode=cors, referer: https://bui.rocksolid.work/
192.168.65.1 - - [23/Nov/2023:00:00:54 +0800] "POST /agency/manage/page?page=1&per_page=10 HTTP/1.1" 401 381
[Thu Nov 23 00:00:57.697528 2023] [ssl:debug] [pid 2744:tid 139685573662400] ssl_engine_io.c(1147): [client 192.168.65.1:37795] AH02001: Connection closed to child 214 with standard shutdown (server bui.rocksolid.work:443)
[Thu Nov 23 00:01:29.216949 2023] [proxy:debug] [pid 2539:tid 139686899087040] proxy_util.c(2585): AH00943: http: has released connection for (host.docker.internal:8001)
192.168.65.1 - admin [22/Nov/2023:23:51:29 +0800] "POST /sockjs-node/228/xzqq4hnp/xhr_streaming?t=1700668289216 HTTP/1.1" 200 2373
[Thu Nov 23 00:01:29.220257 2023] [proxy:debug] [pid 2539:tid 139687380531072] proxy_util.c(3435): [remote 192.168.65.254:8001] AH02642: proxy: connection shutdown

[zandbelt]

start by defning the shared config settings (i.e. the OIDC*, SSL* and LogLevel primivites) at the top level, above the vhosts so they are shared between them, and change OIDCRedirectURI to /redirect_uri

[sarins]

start by defning the shared config settings (i.e. the OIDC*, SSL* and LogLevel primivites) at the top level, above the vhosts so they are shared between them, and change OIDCRedirectURI to /redirect_uri

Hi @zandbelt, thanks for help.

I have been change my configurations based on u suggestions, but it still did not work well, below are my new configurations, please help me check it.

# Backoffice virtual hosts, with OIDC authentication.

OIDCProviderMetadataURL https://keycloak.example.work/realms/example/.well-known/openid-configuration
OIDCClientID bui
OIDCClientSecret jE18cvOx3ircV048F67gq0ifMgWdayem
# See https://github.com/Reposoft/openidc-keycloak-test/issues/7
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCryptoPassphrase dead_code
OIDCRefreshAccessTokenBeforeExpiry 10
OIDCInfoHook iat access_token access_token_expires id_token id_token_hint userinfo refresh_token exp timeout remote_user session
OIDCRemoteUserClaim preferred_username
OIDCScope "openid email"
#OIDCCookieDomain example.work 

<VirtualHost *:443>
    ServerName backoffice.example.work
    SSLEngine on
    SSLCertificateFile "/opt/cert/example.work/tls.crt"
    SSLCertificateKeyFile "/opt/cert/example.work/tls.key"
    SSLCertificateChainFile "/opt/cert/example.work/ca.crt"

    OIDCRedirectURI /redirect_uri

    OIDCOAuthSSLValidateServer Off
    OIDCOAuthVerifyJwksUri https://keycloak.rocksolid.work/realms/example/protocol/openid-connect/certs
    OIDCIDTokenIatSlack 3600
    #OIDCCookieDomain example.work
    OIDCXForwardedHeaders X-Forwarded-Host

    <Location /redirect_uri>
        AuthType openid-connect
        Require claim client_id:ac_oic_client
    </Location>
    <Location />
       LogLevel debug
       AuthType auth-openidc
       Require claim aud:bui
       RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
       #ProxyPreserveHost on
       ProxyPass "http://host.docker.internal:8101/"
       ProxyPassReverse "http://host.docker.internal:8101/"
    </Location>
</VirtualHost>
<VirtualHost *:443>
    LogLevel debug
    ServerName bui.example.work
    SSLEngine on
    SSLCertificateFile "/opt/cert/example.work/tls.crt"
    SSLCertificateKeyFile "/opt/cert/example.work/tls.key"
    SSLCertificateChainFile "/opt/cert/example.work/ca.crt"

    OIDCRedirectURI /redirect_uri
    OIDCXForwardedHeaders X-Forwarded-Host

    <Location /redirect_uri>
       AuthType openid-connect
       Require claim client_id:ac_oic_client
    </Location>
    <Location />
       AuthType openid-connect
       Require valid-user
       #ProxyPreserveHost on
       ProxyPass "http://host.docker.internal:8001/"
       ProxyPassReverse "http://host.docker.internal:8001/"
    </Location>
</VirtualHost>

192.168.65.1 - admin [23/Nov/2023:14:10:01 +0800] "GET /static/logo/x-icon.png HTTP/1.1" 304 -
[Thu Nov 23 14:10:04.621025 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/mod_auth_openidc.c(4589): [client 192.168.65.1:37981] oidc_authz_checker: enter: (r->user=(null)) require_args="aud:bui", referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621074 2023] [authz_core:debug] [pid 279:tid 140049077233344] mod_authz_core.c(815): [client 192.168.65.1:37981] AH01626: authorization result of Require claim aud:bui: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621079 2023] [authz_core:debug] [pid 279:tid 140049077233344] mod_authz_core.c(815): [client 192.168.65.1:37981] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621083 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/mod_auth_openidc.c(4451): [client 192.168.65.1:37981] oidc_check_user_id: incoming request: "/agency/manage/page?page=1&per_page=10", ap_is_initial_req(r)=1, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621087 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/oauth.c(197): [client 192.168.65.1:37981] oidc_oauth_get_bearer_token: accept_token_in=0, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621090 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/oauth.c(287): [client 192.168.65.1:37981] oidc_oauth_get_bearer_token: no bearer token found in the allowed methods: [], referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621093 2023] [auth_openidc:warn] [pid 279:tid 140049077233344] [client 192.168.65.1:37981] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Host but not found in request, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621096 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(2791): [client 192.168.65.1:37981] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621097 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(2791): [client 192.168.65.1:37981] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621099 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(804): [client 192.168.65.1:37981] oidc_get_absolute_url: determined absolute url: https://backoffice.rocksolid.work/redirect_uri, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621102 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(1434): [client 192.168.65.1:37981] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621104 2023] [auth_openidc:warn] [pid 279:tid 140049077233344] [client 192.168.65.1:37981] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Host but not found in request, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621106 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(2791): [client 192.168.65.1:37981] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621107 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(2791): [client 192.168.65.1:37981] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621109 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(804): [client 192.168.65.1:37981] oidc_get_absolute_url: determined absolute url: https://backoffice.rocksolid.work/redirect_uri, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621111 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(1597): [client 192.168.65.1:37981] oidc_util_request_matches_url: comparing "/agency/manage/page"=="/redirect_uri", referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621165 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(2791): [client 192.168.65.1:37981] oidc_util_hdr_in_get: Sec-Fetch-Mode=cors, referer: https://bui.rocksolid.work/
[Thu Nov 23 14:10:04.621171 2023] [auth_openidc:debug] [pid 279:tid 140049077233344] src/util.c(2791): [client 192.168.65.1:37981] oidc_util_hdr_in_get: Sec-Fetch-Mode=cors, referer: https://bui.rocksolid.work/
192.168.65.1 - - [23/Nov/2023:14:10:04 +0800] "POST /agency/manage/page?page=1&per_page=10 HTTP/1.1" 401 381
[Thu Nov 23 14:10:06.986820 2023] [ssl:debug] [pid 37:tid 140049619867328] ssl_engine_io.c(1147): [client 192.168.65.1:37969] AH02001: Connection closed to child 128 with standard shutdown (server bui.rocksolid.work:443)

[zandbelt]

move all of the OIDC* primitives up, move all of the SSL* primitives and LogLevel up...; then most importantly, define OIDCCookieDomain on the toplevel instead of commenting it out in 2 places...

[sarins]

move all of the OIDC* primitives up, move all of the SSL* primitives and LogLevel up...; then most importantly, define OIDCCookieDomain on the toplevel instead of commenting it out in 2 places...

Hi @zandbelt, thanks again, but it still not work.
I think the main problem is it can not get valid user from the shared cookie.

below are configurations and logs.

# Backoffice virtual hosts, with OIDC authentication.
LogLevel debug

SSLEngine on
SSLCertificateFile "/opt/cert/rocksolid.work/tls.crt"
SSLCertificateKeyFile "/opt/cert/rocksolid.work/tls.key"
SSLCertificateChainFile "/opt/cert/rocksolid.work/ca.crt"

# Open ID connect
OIDCProviderMetadataURL https://keycloak.rocksolid.work/realms/ROCKSOLID/.well-known/openid-configuration
OIDCClientID bui
OIDCClientSecret jE18cvOx3ircV048F67gq0ifMgWdayem
# See https://github.com/Reposoft/openidc-keycloak-test/issues/7
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCryptoPassphrase dead_code
OIDCRedirectURI /redirect_uri
#OIDCRedirectURI https://bui.rocksolid.work/redirect_uri?info=json
OIDCRefreshAccessTokenBeforeExpiry 10
OIDCInfoHook iat access_token access_token_expires id_token id_token_hint userinfo refresh_token exp timeout remote_user session
OIDCRemoteUserClaim preferred_username
OIDCScope "openid email"
OIDCXForwardedHeaders X-Forwarded-Host
OIDCCookieDomain rocksolid.work

# OAuth2.0 Resource Server
#OIDCOAuthSSLValidateServer Off
#OIDCOAuthVerifyJwksUri https://keycloak.rocksolid.work/realms/ROCKSOLID/protocol/openid-connect/certs
#OIDCIDTokenIatSlack 3600

<VirtualHost *:443>
    ServerName backoffice.rocksolid.work
    <Location /redirect_uri>
        AuthType openid-connect
        Require claim client_id:ac_oic_client
    </Location>
    <Location />
       AuthType auth-openidc
       Require claim iss:https://keycloak.rocksolid.work/realms/ROCKSOLID
       Require claim aud:bui
       RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
       #ProxyPreserveHost on
       ProxyPass "http://host.docker.internal:8101/"
       ProxyPassReverse "http://host.docker.internal:8101/"
    </Location>
</VirtualHost>
<VirtualHost *:443>
    ServerName bui.rocksolid.work
    <Location /redirect_uri>
       AuthType openid-connect
       Require claim client_id:ac_oic_client
    </Location>
    <Location />
       AuthType openid-connect
       Require valid-user
       #ProxyPreserveHost on
       ProxyPass "http://host.docker.internal:8001/"
       ProxyPassReverse "http://host.docker.internal:8001/"
    </Location>
</VirtualHost>

[Fri Nov 24 14:47:50.214135 2023] [ssl:debug] [pid 640:tid 140625106151104] ssl_engine_kernel.c(2395): [client 192.168.65.1:38371] AH02043: SSL virtual host for servername backoffice.rocksolid.work found
[Fri Nov 24 14:47:50.214297 2023] [core:debug] [pid 640:tid 140625106151104] protocol.c(2460): [client 192.168.65.1:38371] AH03155: select protocol from , choices=h2,http/1.1 for server backoffice.rocksolid.work
[Fri Nov 24 14:47:50.215558 2023] [ssl:debug] [pid 640:tid 140625106151104] ssl_engine_kernel.c(2254): [client 192.168.65.1:38371] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_128_GCM_SHA256 (128/128 bits)
[Fri Nov 24 14:47:50.215736 2023] [socache_shmcb:debug] [pid 640:tid 140625106151104] mod_socache_shmcb.c(508): AH00831: socache_shmcb_store (0xf4 -> subcache 20)
[Fri Nov 24 14:47:50.215744 2023] [socache_shmcb:debug] [pid 640:tid 140625106151104] mod_socache_shmcb.c(862): AH00847: insert happened at idx=0, data=(0:32)
[Fri Nov 24 14:47:50.215746 2023] [socache_shmcb:debug] [pid 640:tid 140625106151104] mod_socache_shmcb.c(865): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/219
[Fri Nov 24 14:47:50.215748 2023] [socache_shmcb:debug] [pid 640:tid 140625106151104] mod_socache_shmcb.c(530): AH00834: leaving socache_shmcb_store successfully
[Fri Nov 24 14:47:50.215862 2023] [ssl:debug] [pid 640:tid 140625106151104] ssl_engine_kernel.c(415): [client 192.168.65.1:38371] AH02034: Initial (No.1) HTTPS request received for child 211 (server backoffice.rocksolid.work:443), referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215915 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/mod_auth_openidc.c(4589): [client 192.168.65.1:38371] oidc_authz_checker: enter: (r->user=(null)) require_args="iss:https://keycloak.rocksolid.work/realms/ROCKSOLID", referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215923 2023] [authz_core:debug] [pid 640:tid 140625106151104] mod_authz_core.c(815): [client 192.168.65.1:38371] AH01626: authorization result of Require claim iss:https://keycloak.rocksolid.work/realms/ROCKSOLID: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215926 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/mod_auth_openidc.c(4589): [client 192.168.65.1:38371] oidc_authz_checker: enter: (r->user=(null)) require_args="aud:bui", referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215929 2023] [authz_core:debug] [pid 640:tid 140625106151104] mod_authz_core.c(815): [client 192.168.65.1:38371] AH01626: authorization result of Require claim aud:bui: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215931 2023] [authz_core:debug] [pid 640:tid 140625106151104] mod_authz_core.c(815): [client 192.168.65.1:38371] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215935 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/mod_auth_openidc.c(4451): [client 192.168.65.1:38371] oidc_check_user_id: incoming request: "/agency/manage/page?page=1&per_page=10", ap_is_initial_req(r)=1, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215938 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/oauth.c(197): [client 192.168.65.1:38371] oidc_oauth_get_bearer_token: accept_token_in=0, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215941 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/oauth.c(287): [client 192.168.65.1:38371] oidc_oauth_get_bearer_token: no bearer token found in the allowed methods: [], referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215945 2023] [auth_openidc:warn] [pid 640:tid 140625106151104] [client 192.168.65.1:38371] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Host but not found in request, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215948 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(2791): [client 192.168.65.1:38371] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215950 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(2791): [client 192.168.65.1:38371] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215952 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(804): [client 192.168.65.1:38371] oidc_get_absolute_url: determined absolute url: https://backoffice.rocksolid.work/redirect_uri, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215955 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(1434): [client 192.168.65.1:38371] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215957 2023] [auth_openidc:warn] [pid 640:tid 140625106151104] [client 192.168.65.1:38371] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Host but not found in request, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215959 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(2791): [client 192.168.65.1:38371] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215960 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(2791): [client 192.168.65.1:38371] oidc_util_hdr_in_get: Host=backoffice.rocksolid.work, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215962 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(804): [client 192.168.65.1:38371] oidc_get_absolute_url: determined absolute url: https://backoffice.rocksolid.work/redirect_uri, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215965 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(1597): [client 192.168.65.1:38371] oidc_util_request_matches_url: comparing "/agency/manage/page"=="/redirect_uri", referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215967 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(2791): [client 192.168.65.1:38371] oidc_util_hdr_in_get: Sec-Fetch-Mode=cors, referer: https://bui.rocksolid.work/
[Fri Nov 24 14:47:50.215969 2023] [auth_openidc:debug] [pid 640:tid 140625106151104] src/util.c(2791): [client 192.168.65.1:38371] oidc_util_hdr_in_get: Sec-Fetch-Mode=cors, referer: https://bui.rocksolid.work/
192.168.65.1 - - [24/Nov/2023:14:47:50 +0800] "POST /agency/manage/page?page=1&per_page=10 HTTP/1.1" 401 381
[Fri Nov 24 14:47:55.221973 2023] [ssl:debug] [pid 640:tid 140625097758400] ssl_engine_io.c(1147): [client 192.168.65.1:38371] AH02001: Connection closed to child 212 with standard shutdown (server backoffice.rocksolid.work:443)

[zandbelt]

check the browser in development to make sure that the Set-Cookie header for the `mod_auth_openidc_session" cookie is received with the correct domain and path

[sarins]

Hi @zandbelt , I think the Set-Cookie header is correct, below is screenshot.

[zandbelt]

ok, then check the outgoing request right after that, to the redirected Location https://bui.rodksolid.work: it should contain a Cookie header with the mod_auth_openidc_session cookie

[sarins]

It contain the Cookie header with the mod_auth_openidc_session.

[zandbelt]

that is all good, so if the log on the server then still says:

[Thu Nov 23 00:00:54.706501 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(1434): [client 192.168.65.1:37797] oidc_util_get_cookie: returning "mod_auth_openidc_session" = , referer: https://bui.rocksolid.work/

then something "in between" the browser and your backend is removing the session cookie, perhaps a WAF or CDN

[sarins]

Hi @zandbelt , this is local machine environment for dev, no WAF or CDN interfere that works, each request/response always direct access apache or other service(s).

[sarins]

Hi @zandbelt , we found the key point at there where is frontend did not send the cookie back. thanks for u patient and help.

[sarins]

that is all good, so if the log on the server then still says:

[Thu Nov 23 00:00:54.706501 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(1434): [client 192.168.65.1:37797] oidc_util_get_cookie: returning "mod_auth_openidc_session" = , referer: https://bui.rocksolid.work/

then something "in between" the browser and your backend is removing the session cookie, perhaps a WAF or CDN

Is there some possible about this issue which is caused by coding error of mod_auth_openidc, maybe when get the cookie from context in this case it will be missing or get incorrect domain to let cookie can not be get.

[sarins]

that is all good, so if the log on the server then still says:

[Thu Nov 23 00:00:54.706501 2023] [auth_openidc:debug] [pid 2744:tid 139685598840512] src/util.c(1434): [client 192.168.65.1:37797] oidc_util_get_cookie: returning "mod_auth_openidc_session" = , referer: https://bui.rocksolid.work/

then something "in between" the browser and your backend is removing the session cookie, perhaps a WAF or CDN

Hi @zandbelt , My work still struggle on this issue, I have been recheck those things over an over times, I found only one log record was warning level, see screenshot as below, does that thing can make the session cookie missing when try to access backend API?

Another question, I have been read some refrence documents related with cookie, the default SameSite configuration is None in mod_auth_openidc module, based on RFC docs, those cookie will be send back automtically, or should I need to explicit manually send it back from SPA side?