When using mod_auth_openidc, something is breaking apache QUERY_STRING

[RetiredHorseTrainer]

Ubuntu 18.04
Apache 2.4.29 (Ubuntu)
mod_auth_oidc 2.3.3-1build1
IDP is WSO2IS 5.10

I’ve set up an apache proxy server for the purpose of accepting a proxy request on behalf of a subscription service. I’m using mod_auth_openidc as the auth module. The proxy server link (that points to our proxy server) contains the actual back-end URL to the subscription service:

Format: https://someproxyserver.com/login?url=
Example: https://someproxyserver.com/login?url=https://search.bosco.com/login.aspx?direct=true&db=abc&AN=31415926&site=ehost-linked

I use a RewriteCond and RewriteRule to extract the back-end URL so I can proxy it and query the subscription service. When I enable mod_auth_openidc, the apache QUERY_STRING gets modified somehow so my RewriteCond never matches. What happens is the back-end host name and part of the URL gets deleted from the apache QUERY_STRING variable. It either gets deleted or it never makes it into the variable.

If I do not configure any auth, everything works. If I configure apache basic auth, everything works. If I configure mod_auth_openidc, part of the QUERY_STRING is missing every time. Here is what the QUERY_STRING looks like when using no auth or basic auth enabled:

url=https://search.bosco.com/login.aspx?direct=true&db=abc&AN=31415926&site=ehost-linked

Here is what the query string looks like with mod_auth_openidc enabled:

login?direct=true&db=abc&AN=31415926&site=ehost-linked

Somehow the use of mod_auth_openidc is causing problems with the apache QUERY_STRING variable. This is over my head so I hope someone can point me in the right direction to get this solved. See my apache virtual host config below. Again, everything works great as long as I’m not using mod_auth_openidc.

`<VirtualHost *:80>

# SSL terminates at load balancer so use ServerName hack
ServerName https://someproxyserver.com
ServerAdmin [email protected]
DocumentRoot /var/www/html
RequestHeader append X-Forwarded-Port 443 early

OIDCProviderMetadataURL https://idp.wso2idp.com/oauth2/oidcdiscovery/.well-known/openid-configuration
OIDCClientID FfpABCQYSpVa4diqv4123456789a
OIDCClientSecret KiABCSerP5j987654321wdXvG64a
OIDCRedirectURI https://someproxyserver.com/oauth2/redirect_uri
OIDCCryptoPassphrase RockOnGoodPeopleAtGitHub
OIDCOutgoingProxy http://devproxyserver.com:80

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLProxyEngine On
# Make sure ProxyRequests are Off for security
ProxyRequests Off
ProxyRemote * http://devproxyserver.com:80

RewriteEngine On
# Extract back-end URL, everything after url=
RewriteCond %{QUERY_STRING} ^url=(https\://.{1,10}\.?bosco\.com/.*)$ [NC]
RewriteRule (.*) %1 [P,QSD]

<Location /oauth2>
	AuthType openid-connect
	Require valid-user
</Location>

<Proxy "*">
	AuthType openid-connect
	Require valid-user
</Proxy>

`

[zandbelt]

Firstly I would advise you to use a recent version of the module as there have been issues that may be related in the past, e.g. #420

[RetiredHorseTrainer]

Manually upgrading to latest version fixed the problem. The Ubuntu repository does not contain the latest version. I'll have to manually upgrade from now on. Thank you.