Server responds with 200 on OIDC error redirect

[jpommerening]

I have everything set up so it almost works to my liking :)

There's just one thing. When the OIDC server encounters an error and reports it back using a redirect (with the ?error= query parameter), Apache, instead of displaying that error and responding with a 400/401/403, responds with 200 and a complaint about OIDCDefaultURL.

GET /oauth_redir?error=access_denied&state=<some-state>&iss=<my-url-encoded-issuer-uri>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <title>Error</title>
    
  </head>
  <body>
<p>Error: <pre>Invalid Request</pre></p><p>Description: <pre>SSO to this module without specifying a &quot;target_link_uri&quot; parameter is not possible because OIDCDefaultURL is not set.</pre></p>
  </body>
</html>

By accident I discovered that, when simulating the same flow without the &iss= parameter, the result, while still coming with status code 200, looks closer to what I'd expect:

GET /oauth_redir?error=access_denied&state=<some-state>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <title>Error</title>
    
  </head>
  <body>
<p>Error: <pre>OpenID Connect Provider error: access_denied</pre></p>
  </body>
</html>

Strangely, the Apache log claims this is a 500 error, but I'm very certain that this is not what is actually sent to the client.
Maybe the status code is adjusted internally, after the HTTP status line has already been sent?

172.18.0.4 - - [23/May/2024:12:56:55 +0000] "GET /oauth_redir?error=access_denied&state=<some-state>&iss=<my-url-encoded-issuer-uri> HTTP/1.1" 500 978 "hurl/2.0.1"

I have built a very short test script with hurl to replicate this:

# Get a protected path
GET {{APACHE_URI}}/test.txt

# Expect a 302 redirect to the OIDC host
HTTP/1.1 302
[Asserts]
header "Location" startsWith "{{OIDC_ISSUER_URI}}/auth"
[Captures]
state: header "Location" split "?" nth 1 regex "state=([^&]+)"
iss: variable "OIDC_ISSUER_URI" urlEncode

# Instead of following the redirect, simulate the error callback directly)
GET {{APACHE_URI}}/oauth_redir?error=access_denied&state={{state}}&iss={{iss}}

# I was expecting some other code than 200, but that's what I get …
HTTP/1.1 200
[Captures]
body: body

If you want to use curl, maybe this should work as well:

APACHE_URI="http://localhost:8080"
OIDC_ISSUER_URI="http://localhost:8081"

curl -i "$APACHE_URI/test.txt" | grep "^Location:"

# extract "&state=" from Location header as $STATE
# url encode $OIDC_ISSUER_URI as $ISS

curl -i "$APACHE_URI/oauth_redir?error=access_denied&state=$STATE&iss=$ISS"

Okay, sorry if this is confusing to read. Basically, I'm just surprised about two things:

• Shouldn't I always get the <p>Error: <pre>OpenID Connect Provider error: access_denied</pre></p> message?
• Shouldn't that be a different status code than 200?

[zandbelt]

it seems you're not using the latest version?

[jpommerening]

That might be possible! Probable even!

How can I check the version? This is running on Debian bookworm btw.

never mind, found it, I think:

ii  libapache2-mod-auth-openidc   2.4.12.3-2                     arm64        OpenID Connect Relying Party implementation for Apache

That's 3 patch versions behind the latest release, right?

[jpommerening]

Sorry, sorry, I feel like I'm falsely prioritizing speedy replies over looking for information myself.

There's a lot of versions in between. Your quick reply sounds like there was a fix in the meantime that matches the behavior that I describe.

I think I've got some release notes to catch up on. v2.4.14 in particular sounds a lot like it would address what I've described before!

You've helped me a lot (& sorry for not checking the release notes earlier!)