OIDC client for Forgerock provider

[manasirg]

Hello, I am trying to evaluate this library to use with forgerock openid provider. I was able to get the login to work but then instead of forwarding to proxy pass location, I get a 400 Bad Request error at the redirect url = https://my-site/auth. I can see the code, id_token, access_token, token_type = "Bearer" in the request for https://my-site/auth.
What configuration should I use for OIDCProviderTokenEndpointAuth?

The .wellknown has the following for auth methods

"token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "self_signed_tls_client_auth",
    "tls_client_auth",
    "none",
    "client_secret_basic"
  ],

Error Log:

web-server-1  |  [auth_openidc:error] [pid 10:tid ] [] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_client"", referer:https://my-site/auth
web-server-1  |  [auth_openidc:error] [pid 10:tid ] [] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Invalid authentication method for accessing this endpoint."", referer: https://my-site/auth
web-server-1  |  [auth_openidc:error] [pid 10:tid ] [] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: https://my-site/auth
web-server-1  | [auth_openidc:debug] [pid 10:tid ] src/util.c(1117): [] oidc_util_html_send_error: setting OIDC_ERROR environment variable to: OpenID Connect Provider error: Error in handling response type., referer: https://my-site/auth
web-server-1  |  [auth_openidc:debug] [pid 10:tid ] src/util.c(1120): [] oidc_util_html_send_error: setting OIDC_ERROR_DESC environment variable to: (null), referer: https://my-site/auth

[manasirg]

I found out that the provider is set to "private_key_jwt". It looks like the module does not support this authentication method. Any chance this will be added in a future release?

[zandbelt]

https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.15.7/auth_openidc.conf#L102-L107

[manasirg]

I have tried that. I keep getting the following error in the logs

web-server-1  | Invalid value for directive 'OIDCProviderTokenEndpointAuth': invalid value 'private_key_jwt', must be one of ['client_secret_post'|'client_secret_basic'|'client_secret_jwt'|'none'|'bearer_access_token']

Is there a syntax error?

OIDCProviderTokenEndpointAuth private_key_jwt
OIDCPublicKeyFiles (["enc:"] /usr/local/apache2/conf/server.crt)
OIDCPrivateKeyFiles (["sig:"] /usr/local/apache2/conf/server.key) 

I am using version 2.4.15.7

[zandbelt]

use:

  OIDCPublicKeyFiles /usr/local/apache2/conf/server.crt
  OIDCPrivateKeyFiles /usr/local/apache2/conf/server.key
  OIDCProviderTokenEndpointAuth private_key_jwt

the order happens to be important too, which is something that is missing from the current docs; we'll fix that

[manasirg]

Thank you. That helped. Now getting a response={"error_description":"JWT is not valid","error":"invalid_client"},
Does this look right? I was able to validate the jwt.

oidc_http_call: url=https://sso-dev/access_token, data=grant_type=authorization_code&code=QJfZECWagsIqq....&redirect_uri=https%3A%2F%2Fmy-site%2Fauth&code_verifier=CLJX...&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=abcde..., content_type=application/x-www-form-urlencoded, basic_auth=null, bearer_token=(null), ssl_validate_server=0, request_timeout=30, connect_timeout=10, retries=1, retry_interval=500, outgoing_proxy=(null):(null):-1, pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null), referer: https://my-site/auth