Google SSO session will never expire - no ID and REFRESH token received

[andreamarinaro]

Hi all,
we are using cognito with openidc module but we are not able to execute the call to token endpoint of the Cognito (POST /oauth2/token) after the auth call(GET /oauth2/authorize).
Due to this we are not able to generate ID TOKEN and REFRESH TOKEN, even if the authentication part via Google SSO is correctly working.

This is our conf:

OIDCRedirectURI https://*********
OIDCClientID **********
OIDCClientSecret ****************
OIDCProviderMetadataURL https://cognito-idp.eu-west-1.amazonaws.com/eu-west-*_*******/.well-known/openid-configuration
OIDCCryptoPassphrase *****
OIDCSessionMaxDuration 120
OIDCCookiePath /
OIDCCacheType memcache
OIDCMemCacheServers memcached-cognito-******.*****.***.euw1.cache.amazonaws.com:11211

<Location />
 AuthType openid-connect
 Require valid-user
</Location>

---

We expect to be logged out after 5 mins but this is not happening, the session is always valid and it never expires.
We manage to log-in via Google SSO.
We've enabled debug logging on Apache, and still we cannot find the issue that is preventing us to receive ID and REFRESH tokens, please let us know if we need to include specific log entries, but I guess the problem is here:

 { "apache_log":"apache_error", "clientip":"xxx.xxx.xxx.xxx:0", "timestamp":"Thu Mar 04 14:45:30 2021", "level":"debug",     
 "pid":"2598", "file":"src/util.c(1108)", "message":"oidc_util_get_cookie: re
 turning "mod_auth_openidc_state_wmoYQxxxxxxxxxxxxx" =                
 "JWT_CORRECTLY_RECEIVED"" }

{ "apache_log":"apache_error", "clientip":"xxx.xxx.xxx.xxx:0", "timestamp":"Thu Mar 04 14:45:30 2021", "level":"debug",     
"pid":"2598", "file":"src/util.c(994)", "message":"oidc_util_set_cookie_appe
nd_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found" }

{ "apache_log":"apache_error", "clientip":"xxx.xxx.xxx.xxx:0", "timestamp":"Thu Mar 04 14:45:30 2021", "level":"debug",  
"pid":"2598", "file":"src/util.c(2483)", "message":"oidc_util_hdr_err_out_ad
d: Set-Cookie: mod_auth_openidc_state_wmoYQxxxxxxxxxxxxx=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00   
GMT; Secure; HttpOnly; SameSite=None" }

{ "apache_log":"apache_error", "clientip":"xxx.xxx.xxx.xxx:0", "timestamp":"Thu Mar 04 14:45:30 2021", "level":"debug",  
"pid":"2598", "file":"src/util.c(681)", "message":"oidc_util_http_call: url=
https://maxeda.auth.eu-west-1.amazoncognito.com/oauth2/token, data=grant_type=authorization_code& 
code=xxxxxxxxxxxxxxxxxxxxf&redirect_uri=https%3A%2F%2Fsite_name-tst02.domain_name.org%2F
redirect_uri, content_type=application/x-www-form-urlencoded, basic_auth=****, bearer_token=(null), ssl_validate_server=1,  
timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_
key=(null)" }

Any help or idea would be really appreciated. Thanks!

[andreamarinaro]

Someone?