dynamic redirect url and claim within dynamic location directive

[jwijffels]

I'm using Keycloak together with mod_auth_openidc and would like to secure some dashboards by having a different claim for

https://dashboard.example.com/apps/project/abc
https://dashboard.example.com/apps/project/xyz

In my virtual host I have a locationmatch directive which looks as follows.

<VirtualHost *:443>
  ServerName dashboard.example.com 
  ServerAlias www.dashboard.example.com
 ....
  OIDCProviderMetadataURL https://keycloak.example.com/auth/realms/whichever/.well-known/openid-configuration
  OIDCCryptoPassphrase some-random-secret
  OIDCClientID dashboard-client
  <LocationMatch "^/apps/(?<project>.*)/">
    AuthType openid-connect
    Require claim "projectid:%{env:MATCH_PROJECT}"    
    OIDCRedirectURI "https://dashboard.example.com/apps/%{env:MATCH_PROJECT}/index.html"
    LogLevel debug
  </LocationMatch>
 ....
</VirtualHost>

When performing the configtest I get OIDCRedirectURI not allowed in <LocationMatch> context

• How do you make the redirect url dynamic based on location?
• What is a solution to this to have a dynamic redirect url and to have different claims within each location?

[zandbelt]

OIDCRedirectURI can only be specified at the server/vhost level and there's no need to do otherwise; you can achieve what you want only by using Require claim <> directives in the appropriate location.

[jwijffels]

Thanks for the quick answer.
I saw indeed that you can set dynamic claims by setting eg. as shown in the example Require claim "projectid:%{env:MATCH_PROJECT}" as indicated at #469
But how do you redirect to that dynamic location:

https://dashboard.example.com/apps/project/**xyz**
https://dashboard.example.com/apps/project/**abc**

Instead of having to set a fixed location like OIDCRedirectURI https://dashboard.example.com/apps/project

[zandbelt]

the (fixed) redirect URI is only used in the OIDC flow, after authentication the user will be redirected to the location that the user initially tried to access

[jwijffels]

That's strange. That is not what I see appearing.
If I set

OIDCRedirectURI https://dashboard.example.com/apps/redirect_uri

and visit https://dashboard.example.com/apps/abc/example

It redirects me to the keycloak login.

https://keycloak.example.com/auth/realms/whichever/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=dashboard-client&state=QCw1iNToZ7APR7WcvbUWjgmHwdg&redirect_uri=https%3A%2F%2Fdashboard.example.com%2Fapps%2Fredirect_uri&nonce=D9hhz2OXyPOQ6Y_6Kx3viDYJ7usEU_nuho_vECYpuEU

After being redirected to keycloak and providing the login, it redirects to

https://dashboard.example.com/apps/redirect_uri?state=YzD_W199f4hwPHpO3NocKyeYaDA&session_state=a36499f6-a66d-4f62-b725-db8b40e42510&code=c19e51f0-6eb2-41fc-8f4c-1dbe5231fae0.a36499f6-a66d-4f62-b725-db8b40e42510.936c730d-2d2a-4f69-b1c0-1b775f15073d

Instead of redirecting to
https://dashboard.example.com/apps/**abc/example**/redirect_uri?state=YzD_W199f4hwPHpO3NocKyeYaDA&session_state=a36499f6-a66d-4f62-b725-db8b40e42510&code=c19e51f0-6eb2-41fc-8f4c-1dbe5231fae0.a36499f6-a66d-4f62-b725-db8b40e42510.936c730d-2d2a-4f69-b1c0-1b775f15073d

[zandbelt]

That can be done independent of a (fixed) redirect uri

[jwijffels]

That's a relieve this is possible. Could you also pinpoint me in which direction I need to look in order to find a solution?

[zandbelt]

it seems you misunderstand what the redirect URI does: just use a fixed one and things will work as expected, via /apps/redirect_uri but that is not a security issue as it is a handler location only, not a protected location

[petsu1]

I have experience with dynamic urls.

   <Location /rp/>
       authtype openid-connect
       require valid-user
   </Location>

   <Location /rootofdynamicurl/>
       OIDCUnAuthAction pass
       authtype openid-connect
       require valid-user
       ProxyPreserveHost On
       RequestHeader set X-Forwarded-Proto "https"
       RequestHeader set X-Forwarded-Port "443"
       ProxyPass https://{{ backend_server}}:{{ backend_port }}/rootofdynamicurl/
       ProxyPassReverse https://{{ backend_server}}:{{ backend_port }}/rootofdynamicurl/
   </Location>

A Login link you can use static redirect_uri under /rp/ path and to get redirection after authentication to under /rootofdynamicurl following link.
https://public-servername/rp/redirect_uri?iss=https%3A%2F%your-oidc-op-provider.com&target_link_uri=https://public-servername/rootofdynamicurl/customer1/&auth_request_params=ui_locales%3Den%26acr_values%3Dloa1

[jwijffels]

it seems you misunderstand what the redirect URI does: just use a fixed one and things will work as expected, via /apps/redirect_uri but that is not a security issue as it is a handler location only, not a protected location

Yes I now see your point. I've made sure now that the OIDCRedirectURI is now a protected location. I've set it to OIDCRedirectURI https://dashboard.example.com/apps/default/redirect_uri
Thanks for the remarks and your time taken to answer this. This now works as intended and completely solves my needs :) 👍