Cannot set remote user in v2.4.5+

[jlbooker]

Hi there,

I'm currently using mod_auth_openidc v2.4.4. I was looking to upgrade to v2.4.6 because we're running into the semaphore cleanup on graceful restarts bug that's fixed in the latest release.

However, upon upgrading to v2.4.6, I now get the following error when trying to login against MS Azure:
OpenID Connect Provider error: Remote user could not be set: contact the website administrator

The Apache configs didn't change at all during the upgrade, I just replaced the mod_auth_opendic.so module file. I downgraded to v2.4.4 and the remote user error went away.

I then tried upgrading to v2.4.5 and received the same error regarding setting the remote user, so it seems to be a change between 2.4.4 and 2.4.5.

In the Apache logs, I see:

[auth_openidc:error] [pid 11879] [client x] oidc_proto_resolve_userinfo: mandatory claim ("sub") was not returned from userinfo endpoint (https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse), referer: https://fedauth.mycompany.com/
[auth_openidc:error] [pid 11879] [client x] oidc_retrieve_claims_from_userinfo_endpoint: resolving user info claims with the existing/provided access token failed, nothing will be stored in the session, referer: https://fedauth.mycompany.com/
[auth_openidc:warn] [pid 11879] [client x] oidc_get_remote_user: JSON object did not contain a "onPremisesSamAccountName" string, referer: https://fedauth.mycompany.com/
[auth_openidc:error] [pid 11879] [client x] oidc_set_request_user: OIDCRemoteUserClaimis set to "onPremisesSamAccountName", but could not set the remote user based on the requested claim "onPremisesSamAccountName" and the available claims for the user, referer: https://fedauth.mycompany.com/
[auth_openidc:error] [pid 11879] [client x] oidc_handle_authorization_response: remote user could not be set, referer: https://fedauth.mycompany.com/
[auth_openidc:error] [pid 11879] [client x]  oidc_restore_proto_state: no "mod_auth_openidc_state_9tTSRXjUM8sB6DGCNUUGZrYEfyc" state cookie found, referer: https://mycompany.com/secure/redirect_uri?code=[long token here]
[auth_openidc:error] [pid 11879] [client x] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:809: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 787], referer: https://mycompany.com/secure/redirect_uri?code=[long token here]

Relevant Apache config is:

OIDCProviderJwksUri https://login.microsoftonline.com/<app id here>/discovery/v2.0/keys
OIDCProviderUserInfoEndpoint "https://graph.microsoft.com/v1.0/me?$select=mailNickname,onPremisesSamAccountName"
OIDCRemoteUserClaim onPremisesSamAccountName

[zandbelt]

there's a security improvement in 2.4.5 indeed, affecting the validation of the results returned from the userinfo endpoint, see: 4d94328 ; however, for Azure AD I don't think you should be setting individual URLs for the endpoints as you did but rather follow https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-Active-Directory-Authentication and set OIDCProviderMetadataURL https://sts.windows.net/[TENANT_ID]/.well-known/openid-configuration

[jlbooker]

We do set a OIDCProviderMetadataURL too, but I believe we also needed to set the OIDCProviderUserInfoEndpoint because the mailNickname field isn't included in the default metadata.

[jlbooker]

Testing without the UserInfoEndpoint on v2.4.4 cleans up some of the errors, but still shows:

oidc_get_remote_user: JSON object did not contain a "mailNickname" string
oidc_set_request_user: OIDCRemoteUserClaimis set to "mailNickname", but could not set the remote user based on the requested claim "mailNickname" and the available claims for the user

[jlbooker]

I've also tried onPremisesSamAccountName for the OIDCRemoteUserClaim, with the same result.

[zandbelt]

you cannot use mailNickname as OIDCRemoteUserClaim but you'll need to pick a claim that is actually returned from the user info endpoint; calling another endpoint that returns no "sub" claim is just not part of OpenID Connect, not supported by the module and insecure because of known attacks

[jlbooker]

Removing the SetEnvIfExpr line took me back to the previous error:

Browser says: OpenID Connect Provider error: Remote user could not be set: contact the website administrator

Apache error log has:

oidc_proto_resolve_userinfo: mandatory claim ("sub") was not returned from userinfo endpoint (https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)
oidc_retrieve_claims_from_userinfo_endpoint: resolving user info claims with the existing/provided access token failed, nothing will be stored in the session
oidc_get_remote_user: JSON object did not contain a "mailNickname" string
oidc_handle_authorization_response: remote user could not be set

And yes, I'm testing this in a fresh incognito tab every time.

[zandbelt]

I need to see the server debug logs for the case where SetEnvIfExpr is set, more than just a few lines, before and after

[jlbooker]

Have a look at: [gist removed]

[zandbelt]

ok, thanks; the 2 latest commits 4b2044e should fix this

[jlbooker]

Thanks again! This latest build appears to be working well so far!