Suggestions for modifying to support multiple resources

[jtAcacia]

Hi,

How would you suggest going about supporting multiple protected resource specific apps? Currently the module supports defining parameters ('aud' or 'resource') on a per path basis within conf file.

Current behavior with server cache:

1. User goes to protected resource /location1
2. Prompted with login and gets valid access token back
3. Session is created and added to user's browser
4. User now goes to protected resource /location2 which has a different 'aud' value
5. The user is allowed to go other resource even though their access token doesn't have that aud specified.

Desired behavior with server cache:

1. User goes to protected resource /location1
2. Prompted with login and gets valid access token back
3. Session created and added to user's browser
4. User now goes to protected resource /location2 which has a different 'aud' value
5. The user should be prompted to login
6. And if the user goes back to /location1 then it should still work

I have modified the oidc_session_encode function to save the user's aud value as the key and the session state as the value. I then encode that whole json object. I also updated the decode function to pull based on resource trying to access.

However, it's working for steps 1 - 5 BUT not working for 6. The session is getting cleared out for some reason when logging into a new protected resource. Could someone please advise where the session may be getting cleared or what's the correct way of supporting multiple resources? Thanks!

Example of what would be written to cache:
uuid={ { "resource1" : {<state_obj>} }, { "resource2" : {<state_obj>} } }

[zandbelt]

the scenario is covered as described here: https://github.com/zmartzone/mod_auth_openidc/wiki/Step-up-Authentication

[jtAcacia]

Thank you so much for the prompt response. I tested this but I am being prompted to login again if viewing multiple resources with same session id.

Login and opened resource1 (/location1)
Login and opened resource 2(/location2)
I went back to resource1 but was prompted again to login.

I would like to have the server cache support multiple access tokens for a specific session. Seems to me that the session (uuid) is linked with one access token and then flushed once logging into another resource. Is this correct? If so, how would you recommend supporting one uuid to multiple access tokens?

[zandbelt]

have a look at the server debug logs: they'll tell you what claim is not missing or not matching and why it prompts again

[jtAcacia]

I have tried numerous setup configurations but I am not able to successfully link 1 session with multiple resources. I have the below configuration. Is there something wrong with this?

I do get the step up authentication prompt to login for resource2 but then it gets in an infinite redirect loop back to login screen. 'client denied by server configuration' is showing in logs even though I have require all granted set.

Using 2.4.2rc1

`<Location /location1>
AuthType openid-connect
Require valid-user
LogLevel debug
OIDCUnAutzAction auth
OIDCPathAuthRequestParams resource=<RESOURCE1>&prompt=login

<Location /location2>
AuthType openid-connect
LogLevel debug
OIDCUnAutzAction auth
Require claim aud:<RESOURCE2>
OIDCPathAuthRequestParams resource=<RESOURCE2>&prompt=login

`

[zandbelt]

have a look at the server debug logs: they'll tell you what claim is not missing or not matching and why it prompts again

it means that the aud claim is not present or not set to the required value RESOURCE2; which makes sense because typically aud will be set to the client id