POSTing XHR adds many oidc_claim_* headers to request

[pmoisel]

We are using mod_auth_openidc 2.4.7 in a setup with keycloak and spring-boot services.

As we POST an XMLHttpRequest from browser to our backend mod_auth_openidc adds all claims from accesstoken as a http-header to the request we don't need and, in our case, leads to a failed request.
We get a request containing about 20 http-header with keys like "oidc_claim_iss", "oidc_claim_private_customer_id", "oid_claim_family_name" and so on.

Is there a way to disable this? The headers are not added for a GET request.

One thing is: We don't need this
Secondly: This leads to en error if we have a "ß" in any headervalue. Values are encoded in UTF-8 (c3 9f), read as iso-8859. SpringBoot raises exception as "9f" is undefined in iso-8859.

[zandbelt]

you can disable it with OIDCPassClaimsAs or filter the claims with OIDCWhiteListedClaims

[pmoisel]

'OIDCPassClaimsAs environment' seems to work. I still wonder why the claims are only added when POSTing. This is why I didn't try OIDCPassClaimsAs at first. The documentation does not make this clear to me

[zandbelt]

headers are passed on GET too (there wouldn't be much usage for the module if it wasn't...) ; so there's something in your setup that prevents this: either you have not protected the GET location, you've disabled it for that location or you're not observing correctly

[pmoisel]

Hm, I could not see the oidc_claim_*-headers in GET Reqeusts. The token-header is available and thus the application works fine for our setup.
The difference was only when we POST. In this case additionally the oidc_claim_*-headers present.
Anyway, OIDCPassClaimsAs environment works. We do not receive the oidc_claim_*-headers when POSTing, so everything seems fine now.
Thanks for your help!