Replies: 5 comments 4 replies
-
see the release notes https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.0, environment variables are - by virtue of Apache's internals - prefixed with |
Beta Was this translation helpful? Give feedback.
-
Thanks Hans, I actually read that, but the link didn't work and I couldn't find the prefix in the current source tree, so assumed it was probably removed later on. So that means passing claims won't work with v2.4.x and a vanilla I'll try building a custom Do you see any chance to add an option to disable this prefix for claims, or change it to an |
Beta Was this translation helpful? Give feedback.
-
I assume that only applies to a specific Apache API/process step, as the same Apache passes the unprefixed variables from v2.3.11, but I understand it's more a Thanks for the clarification! |
Beta Was this translation helpful? Give feedback.
-
I can confirm using a customized I've found another option that can be applied if you have a fixed set of claims to pass: using
This scheme assumes using the default Regards, |
Beta Was this translation helpful? Give feedback.
-
I can confirm configuring I don't understand all details, but I think it's non-obvious from a user perspective, that the Thanks for your valuable help on this! Regards, |
Beta Was this translation helpful? Give feedback.
-
Hi everyone,
first of all thanks to Hans and all the contributors for the great open source work & support, very much appreciated!
Apologizes if I missed some important configuration change -- a hint on what to look for would be appreciated in that case, thanks in advance.
With moving an OpenIDC enabled website from an old server running
mod_auth_openidc
version 2.3.8 to a new server runningmod_auth_openidc
version 2.4.9.4, the passing of claims to my CGI handler stopped working.OpenIDC configuration:
The handler
expeedo
is mapped to a standard CGI executable, which is run by the Apache viasuexec
.OIDCClaimPrefix
is accordingly chosen to be compatible with thesuexec
environment variable filtering, which allows all variables prefixed byHTTP_
.The auth works, and the handler still gets the authenticated user in
REDIRECT_REMOTE_USER
, only the claim variables are missing.The new server is running AlmaLinux 9, the repository build of
mod_auth_openidc
only has version 2.4.9.4. After verifying the same setup still was working with 2.3.8, I built & tested release v2.3.11 manually on the new server: the claims get passed correctly as before with that version.I've then done the test with a manual v2.4.0 build: claims gone. So the issue has been introduced in v2.4.0, and the remaining environment (new Apache version) has no effect on the issue.
On logging in, the Alma9
mod_auth_openidc
version 2.4.9.4 writes these warnings to theerror_log
:… and so on, for all claims. v2.3.11 doesn't log anything, but the already disfunctional v2.4.0 also doesn't, so no idea if that gives any clue. Whitelisting claims reduced these warnings to just the whitelisted variables, but didn't help otherwise.
The debug log (attached) also shows the claims are received, they just don't get through to the CGI handler.
debug_log.txt
The issue is solved for now by running v2.3.11, but I'll gladly help in tracing this down, tell me if you need more data.
Regards,
Michael
Beta Was this translation helpful? Give feedback.
All reactions