Claims no longer passed to an Apache suexec CGI handler since version 2.4.0

[dexterbg]

Hi everyone,

first of all thanks to Hans and all the contributors for the great open source work & support, very much appreciated!

Apologizes if I missed some important configuration change -- a hint on what to look for would be appreciated in that case, thanks in advance.

With moving an OpenIDC enabled website from an old server running mod_auth_openidc version 2.3.8 to a new server running mod_auth_openidc version 2.4.9.4, the passing of claims to my CGI handler stopped working.

OpenIDC configuration:

<IfModule auth_openidc_module>
  OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
  OIDCClientID …
  OIDCClientSecret …
  OIDCScope "openid email profile"
  OIDCClaimPrefix HTTP_OIDC_CLAIM_
  OIDCRedirectURI https://<mysite>/oid/redirect
  OIDCCryptoPassphrase …
  <Location /oid/>
    AuthType openid-connect
    Require valid-user
  </Location>
  <Location /oid/login>
    SetHandler expeedo
  </Location>
</IfModule>

The handler expeedo is mapped to a standard CGI executable, which is run by the Apache via suexec. OIDCClaimPrefix is accordingly chosen to be compatible with the suexec environment variable filtering, which allows all variables prefixed by HTTP_.

The auth works, and the handler still gets the authenticated user in REDIRECT_REMOTE_USER, only the claim variables are missing.

The new server is running AlmaLinux 9, the repository build of mod_auth_openidc only has version 2.4.9.4. After verifying the same setup still was working with 2.3.8, I built & tested release v2.3.11 manually on the new server: the claims get passed correctly as before with that version.

I've then done the test with a manual v2.4.0 build: claims gone. So the issue has been introduced in v2.4.0, and the remaining environment (new Apache version) has no effect on the issue.

On logging in, the Alma9 mod_auth_openidc version 2.4.9.4 writes these warnings to the error_log:

[Mon May 13 19:07:18.594543 2024] [auth_openidc:warn] [pid 139943:tid 173591] [remote 87.151.208.181:50514] oidc_scrub_request_headers: scrubbed suspicious request header (OIDC_access_token: ya29.a0AXooCguHP8h-poJoz_CYf75Yz)
[Mon May 13 19:07:18.594558 2024] [auth_openidc:warn] [pid 139943:tid 173591] [remote 87.151.208.181:50514] oidc_scrub_request_headers: scrubbed suspicious request header (OIDC_access_token_expires: 1715623367)
[Mon May 13 19:07:18.594564 2024] [auth_openidc:warn] [pid 139943:tid 173591] [remote 87.151.208.181:50514] oidc_scrub_request_headers: scrubbed suspicious request header (HTTP_OIDC_CLAIM_sub: 108122505734978832913)
[Mon May 13 19:07:18.594567 2024] [auth_openidc:warn] [pid 139943:tid 173591] [remote 87.151.208.181:50514] oidc_scrub_request_headers: scrubbed suspicious request header (HTTP_OIDC_CLAIM_name: Michael Balzer)
[Mon May 13 19:07:18.594570 2024] [auth_openidc:warn] [pid 139943:tid 173591] [remote 87.151.208.181:50514] oidc_scrub_request_headers: scrubbed suspicious request header (HTTP_OIDC_CLAIM_given_name: Michael)
…

… and so on, for all claims. v2.3.11 doesn't log anything, but the already disfunctional v2.4.0 also doesn't, so no idea if that gives any clue. Whitelisting claims reduced these warnings to just the whitelisted variables, but didn't help otherwise.

The debug log (attached) also shows the claims are received, they just don't get through to the CGI handler.

debug_log.txt

The issue is solved for now by running v2.3.11, but I'll gladly help in tracing this down, tell me if you need more data.

Regards,
Michael

[zandbelt]

see the release notes https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.0, environment variables are - by virtue of Apache's internals - prefixed with REDIRECT_ (like REMOTE_USER already was)

[dexterbg]

Thanks Hans, I actually read that, but the link didn't work and I couldn't find the prefix in the current source tree, so assumed it was probably removed later on.

So that means passing claims won't work with v2.4.x and a vanilla suexec, as REDIRECT_ isn't an allowed prefix by default (only HTTP_ and SSL_). I've verified this is still the case by dumping all environment variables, only the explicitly allowed REDIRECT_ variables get passed.

I'll try building a custom suexec next, but I'd rather not have to…

Do you see any chance to add an option to disable this prefix for claims, or change it to an suexec compatible one?

[zandbelt]

it is Apache adding the prefix, for all CGI environment variables

[dexterbg]

I assume that only applies to a specific Apache API/process step, as the same Apache passes the unprefixed variables from v2.3.11, but I understand it's more a suexec issue then.

Thanks for the clarification!

[dexterbg]

I can confirm using a customized suexec that whitelists e.g. the REDIRECT_OIDC_ prefix solves the issue (of course in combination with changing the CGI handler to use that prefix).

I've found another option that can be applied if you have a fixed set of claims to pass: using mod_headers, you can recreate the request headers from the environment variables like this:

  <Location /oid/>
    AuthType openid-connect
    Require valid-user
    RequestHeader set OIDC-Claim-email "%{OIDC_CLAIM_email}e"
    RequestHeader set OIDC-Claim-email-verified "%{OIDC_CLAIM_email_verified}e"
    RequestHeader set OIDC-Claim-name "%{OIDC_CLAIM_name}e"
    …
  </Location>

This scheme assumes using the default OIDCClaimPrefix of OIDC_CLAIM_. The newly set request headers will be passed to the CGI handler as usual with the HTTP_ name prefix added, so this solution doesn't need a custom suexec.

Regards,
Michael

[zandbelt]

I'm still not sure if I completely understand your setup but it seems that simply configuring OIDCClaimPrefix OIDC-Claim- would also do the trick in the default setup, without requiring any explicit RequestHeader directives

[dexterbg]

I can confirm configuring OIDCClaimPrefix OIDC-Claim- indeed also does the trick. With that config, nothing else needs to be changed, and suexec passes the headers as env variables HTTP_OIDC_CLAIM_….

I don't understand all details, but I think it's non-obvious from a user perspective, that the OIDCClaimPrefix value doesn't automatically get transformed to the header naming scheme, so needs to be changed from the default OIDC_CLAIM_ when passing claims as headers. I suggest adding a note on this to the config section on OIDCClaimPrefix and/or OIDCPassClaimsAs.

Thanks for your valuable help on this!

Regards,
Michael

[zandbelt]

I think your point about "doesn't automatically get transformed to the header naming scheme" refers to the acceptable variable names for CGI which is specific for that environment. Other target application environment may have other restrictions/requirements on names which are to be documented as part of those environments.

FWIW: if your claim names contain underscores, you may still have to revert to your RequestHeader approach for those claims only.

[dexterbg]

You're right, I was too quick on this: changing the prefix to OIDC-Claim- only passes claims without _ in their name. Claims like family_name still get lost.