OIDC default config

lost · November 5, 2025, 4:10pm

I’m trying to deploy ondemand with OIDC/DEX/LDAP on RockyLinux 9. Using the ood-ansible role.

Apache fails to start up:

Nov 05 16:03:40 ff28d9-login-00.in.nvs.bmrc.ox.ac.uk httpd[11371]: AH00526: Syntax error on line 7 of /etc/httpd/conf.d/auth_openidc.conf:
Nov 05 16:03:40 ff28d9-login-00.in.nvs.bmrc.ox.ac.uk httpd[11371]: OIDCClientID takes one argument, Client identifier used in calls to OpenID Connect OP.

and yes, that file contains empty strings for the client id etc.

But the actual autogenerated DEX config is in /etc/httpd/conf.d/ood-portal.conf. And it appears that the above file is created by the dnf install of the apache OIDC module:

# dnf whatprovides /etc/httpd/conf.d/auth_openidc.conf
mod_auth_openidc-2.4.10-1.el9.x86_64 : OpenID Connect auth module for Apache HTTP Server
Repo        : @System
Matched from:
Filename    : /etc/httpd/conf.d/auth_openidc.conf

Am I doing something wrong here?

edit: tried deleting it, it appears to come back when restarting apache?

jeff.ohrstrom · November 5, 2025, 4:13pm

I would check line 7 of this file. Everything in it should be commented out - but I guess it’s not? I don’t know about it coming back when you bounce apache - that’s very odd.

lost · November 5, 2025, 4:17pm

Ah its not apache making it come back, it is actually templated out by the osc role at ood-ansible/tasks/configure.yml at v3.1.5 · OSC/ood-ansible · GitHub.

It looks like this (redacted):

# cat /etc/httpd/conf.d/auth_openidc.conf
OIDCRedirectURI https://<redacted>/oidc
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCRemoteUserClaim preferred_username
OIDCPassClaimsAs environment
OIDCStripCookies 'mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1'
OIDCClientID ''
OIDCClientSecret ''
OIDCProviderMetadataURL /.well-known/openid-configuration
OIDCCryptoPassphrase ''
OIDCPassIDTokenAs serialized
OIDCScope 'openid profile preferred_username'

lost · November 5, 2025, 4:20pm

Ahh I think I know what’s going on .. I’ll reply in a few minutes when I’ve tested things …

jeff.ohrstrom · November 5, 2025, 4:23pm

yes I forgot about that part of the ansible role. It must not like the empty id and secret.

lost · November 5, 2025, 4:30pm

No I think the problem is that the stuff I’ve got wrapping that role is setting ood_auth_openidc (to try to provide some sensible oidc defaults). But actually for DEX we shouldn’t set that, b/c the DEX config is autogenerated in ood-portal.conf and that variable doesn’t have a full OIDC conf. So I just need to untangle my logic here…

Topic		Replies	Views
Httpd wont start: Invalid command 'OIDCStateMaxNumberOfCookies' + Dex confusion Get Help question	7	1851	May 26, 2022
OOD 2.0.13 update_ood_portal and oidc configuration Get Help ondemand2 , question	8	1044	May 26, 2022
Internal Server Error After Fresh Install Get Help	47	4003	September 10, 2022
Dex LDAP not working Get Help	27	3937	May 26, 2022
Initial install does not display dashboard Get Help	14	662	September 27, 2022

OIDC default config

Related topics