Thanks for digging in. Do you happen to have the next 15 or so lines after the bottom of the log/trace?
Here’s mine:
[Fri Jun 07 10:53:43.346465 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(2539): [client X:38748] oidc_util_hdr_in_get: Host=Y
[Fri Jun 07 10:53:43.346474 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(2539): [client X:38748] oidc_util_hdr_in_get: Host=Y
[Fri Jun 07 10:53:43.346483 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(663): [client X:38748] oidc_get_redirect_uri: determined absolute redirect uri: https://Y/oidc <---- end of log example above
[Fri Jun 07 10:53:43.346494 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(1406): [client X:38748] oidc_util_request_matches_url: comparing "/pun/sys/dashboard"=="/oidc"
[Fri Jun 07 10:53:43.346509 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(2539): [client X:38748] oidc_util_hdr_in_get: Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[Fri Jun 07 10:53:43.346520 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(2539): [client X:38748] oidc_util_hdr_in_get: Host=Y
[Fri Jun 07 10:53:43.346529 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(2539): [client X:38748] oidc_util_hdr_in_get: Host=Y
[Fri Jun 07 10:53:43.346538 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/util.c(644): [client X:38748] oidc_get_current_url: current URL 'https://Y/pun/sys/dashboard'
[Fri Jun 07 10:53:43.346547 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/mod_auth_openidc.c(2279): [client X:38748] oidc_authenticate_user: enter
[Fri Jun 07 10:53:43.346570 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/mod_auth_openidc.c(2290): [client X:38748] oidc_authenticate_user: defer discovery to the content handler
[Fri Jun 07 10:53:43.346584 2024] [authz_core:debug] [pid 199702:tid 199792] mod_authz_core.c(815): [client X:38748] AH01626: authorization result of Require valid-user : granted <---- wait, what?! we're not done with OIDC yet!
[Fri Jun 07 10:53:43.346594 2024] [authz_core:debug] [pid 199702:tid 199792] mod_authz_core.c(815): [client X:38748] AH01626: authorization result of <RequireAny>: granted
[Fri Jun 07 10:53:43.346626 2024] [lua:trace2] [pid 199702:tid 199792] mod_lua.c(207): [client X:38748] AH02313: request hook details: scope: once, file: /opt/ood/mod_ood_proxy/lib/pun_proxy.lua, func: pun_proxy_handler
[Fri Jun 07 10:53:43.347549 2024] [lua:debug] [pid 199702:tid 199792] lua_request.c(1902): [client X:38748] AH01488: request_rec->dispatching user -> string
[Fri Jun 07 10:53:43.347586 2024] [lua:debug] [pid 199702:tid 199792] lua_request.c(1902): [client X:38748] AH01488: request_rec->dispatching user -> string
[Fri Jun 07 10:53:43.347599 2024] [lua:trace4] [pid 199702:tid 199792] mod_lua.c(730): [client X:38748] Lua hook pun_proxy.lua:pun_proxy_handler for phase fixups returned -1 <---- I patched the pun_proxy.lua to return apache2.DECLINED if no user is set.
Here’s the ood_portal.yml with comments removed:
$ cat /etc/ood/config/ood_portal.yml | grep -vP '\s*#' | grep -v '^$'
---
oidc_uri: '/oidc'
auth:
- 'AuthType openid-connect'
- 'Require valid-user'
- 'OIDCDiscoverURL /oidc-discovery/globus'
logout_redirect: '/oidc?logout=/public/logged_out.html'
map_fail_uri: '/public/map_error.html'
ssl:
- SSLCertificateFile /Z/host.pem
- SSLCertificateChainFile /Z/chain.pem
- SSLCertificateKeyFile /Z/host.privkey
- SSLCipherSuite 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256'
node_uri: '/node'
rnode_uri: '/rnode'
host_regex: '[\w.-]+\.BB\.CC'
public_root: /etc/ood/public
user_map_cmd: '/AA'
user_env: 'OIDC_access_token'
And for completeness, the rendered ood-portal.conf and oidc config:
$ sudo cat /etc/httpd/conf.d/ood-portal.conf | grep -Pv '^\s*#' | grep -v '^$'
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*) https://Y:443$1 [R=301,NE,L]
</VirtualHost>
<VirtualHost *:443>
ErrorLog "logs/Y_error_ssl.log"
CustomLog "logs/Y_access_ssl.log" combined
RewriteEngine On
RewriteCond /etc/ood/public/maintenance/index.html -f
RewriteCond /etc/ood/maintenance.enable -f
RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
RewriteRule ^.*$ /public/maintenance/index.html [R=302,L]
Header always set Content-Security-Policy "frame-ancestors https://Y;"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
SSLEngine On
SSLCertificateFile /Z/host.pem
SSLCertificateChainFile /Z/chain.pem
SSLCertificateKeyFile /Z/host.privkey
SSLCipherSuite 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256'
LuaRoot "/opt/ood/mod_ood_proxy/lib"
LogLevel trace5 <---- modified for troubleshooting
LuaHookLog logger.lua logger
SetEnv OOD_USER_MAP_CMD "/AA"
SetEnv OOD_USER_ENV "OIDC_access_token"
SetEnv OOD_MAP_FAIL_URI "/public/map_error.html"
SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"
Alias "/public" "/etc/ood/public"
<Directory "/etc/ood/public">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<LocationMatch "^/node/(?<host>[\w.-]+\.BB\.CC)/(?<port>\d+)">
AuthType openid-connect
Require valid-user
OIDCDiscoverURL /oidc-discovery/globus
Header edit Location "^[^/]+//[^/]+" ""
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
Header edit Set-Cookie "^([^;]+)" "$1; Path=/node/%{MATCH_HOST}e/%{MATCH_PORT}e"
LuaHookFixups node_proxy.lua node_proxy_handler
</LocationMatch>
<LocationMatch "^/rnode/(?<host>[\w.-]+\.sdsc\.edu)/(?<port>\d+)(?<uri>/.*|)">
AuthType openid-connect
Require valid-user
OIDCDiscoverURL /oidc-discovery/globus
Header edit Location "^([^/]+//[^/]+)|(?=/)|^([\./]{1,}(?<!/))" "/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
Header edit Set-Cookie "^([^;]+)" "$1; Path=/rnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
LuaHookFixups node_proxy.lua node_proxy_handler
</LocationMatch>
SetEnv OOD_PUN_URI "/pun"
<Location "/pun">
AuthType openid-connect
Require valid-user
OIDCDiscoverURL /oidc-discovery/globus
ProxyPassReverse "http://localhost/pun"
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx"
SetEnv OOD_PUN_MAX_RETRIES "5"
LuaHookFixups pun_proxy.lua pun_proxy_handler
</Location>
SetEnv OOD_NGINX_URI "/nginx"
<Location "/nginx">
AuthType openid-connect
Require valid-user
OIDCDiscoverURL /oidc-discovery/globus
LuaHookFixups nginx.lua nginx_handler
</Location>
RedirectMatch ^/$ "/pun/sys/dashboard"
Redirect "/logout" "/oidc?logout=/public/logged_out.html"
<Location "/oidc">
AuthType openid-connect
Require valid-user
OIDCDiscoverURL /oidc-discovery/globus
</Location>
<Location "/oidc-discovery/globus">
RewriteEngine On
RewriteCond "%{QUERY_STRING}" "(.*)"
RewriteRule "." /oidc?%1&iss=https\%3a\%2f\%2fauth.globus.org [R=302,L,NE]
</Location>
<Directory "/etc/ood/public/maintenance">
RewriteCond /etc/ood/maintenance.enable !-f
ReWriteRule ^.*$ /
RewriteCond %{REQUEST_URI} !/public/maintenance/.*$
RewriteRule ^.*$ /public/maintenance/index.html [R=503,L]
ErrorDocument 503 /public/maintenance/index.html
</Directory>
</VirtualHost>
$ sudo cat /etc/httpd/conf.d/auth_openidc.conf | grep -vP '\s*#' | grep -v '^$'
OIDCRedirectURI /oidc
OIDCCryptoPassphrase "exec:/usr/bin/openssl rand -hex 32"
OIDCMetaDataDir /Z/oidc
OIDCPassClaimsAs environment
OIDCSessionMaxDuration 28800
OIDCSessionInactivityTimeout 28800
OIDCSessionType server-cache
OIDCCacheType shm
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
OIDCCookieHTTPOnly On
OIDCCookieSameSite On
I’m guessing my next stop is to dig in to mod_auth_openidc to see how this happened:
[Fri Jun 07 10:53:43.346547 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/mod_auth_openidc.c(2279): [client X:38748] oidc_authenticate_user: enter
[Fri Jun 07 10:53:43.346570 2024] [auth_openidc:debug] [pid 199702:tid 199792] src/mod_auth_openidc.c(2290): [client X:38748] oidc_authenticate_user: defer discovery to the content handler
[Fri Jun 07 10:53:43.346584 2024] [authz_core:debug] [pid 199702:tid 199792] mod_authz_core.c(815): [client X:38748] AH01626: authorization result of Require valid-user : granted <---- wait, what?! we're not done with OIDC yet!
Note that the above httpd config uses OIDCMetaDataDir, both to support multiple IdPs as well as keep secrets separate from the config. This might be relevant…