Question about default for OIDCUnAutzAction

[candlerb]

The sample auth_openidc.conf says:

# When not defined the default "401" is used.
#OIDCUnAutzAction [401|403|302|auth] [<argument>]

But the source code has:

#define OIDC_DEFAULT_UNAUTZ_ACTION OIDC_UNAUTZ_RETURN403

When testing with mod_auth_openidc 2.4.1 and Apache 2.4.41: I find that if a user authenticates but is not authorized, I get a 401 response. I have not set AuthzSendForbiddenOnFailure or OIDCUnAutzAction

Therefore, the documentation appears to be correct. However I don't understand why this is the case if OIDC_DEFAULT_UNAUTZ_ACTION is OIDC_UNAUTZ_RETURN403? Is there something else which changes the default to RETURN401?

[zandbelt]

that's because of how Apache 2.4 works, it actually needs an extra AuthzSendForbiddenOnFailure statement to make that work (as opposed to 2.2), see:
https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.11/src/mod_auth_openidc.c#L4023
so the documentation still needs to be adapted to reflect that for 2.4

[candlerb]

Thank you, I get it now. When used with Apache 2.4 the same code in mod_auth_openidc is run whether you select OIDCUnAutzAction 401 or OIDCUnAutzAction 403. Apache itself decides whether to return 401 or 403.

Regards,

Brian.

[candlerb]

Can I propose the following:

# When not defined the default "403" is used.  However Apache 2.4 will change this to 401
# unless you set "AuthzSendForbiddenOnFailure on"
#OIDCUnAutzAction [401|403|302|auth] [<argument>]

[zandbelt]

thanks, see 88896ed