apacheoauth-2.0mod-auth-openidc

How to pass user's claim to upstream layer using mod_auth_openidc?

I've successfully provisioned apache web server using mod_auth_openidc to protect our internal dashboards, using Auth0 and Google App Oauth, described in this documentation: - https://github.com/zmartzone/mod_auth_openidc#openid-connect-sso-with-google-sign-in - https://auth0.com/docs/quickstart/webapp/apache/01-login (without using auth0 rule pipeline)

My question is how to pass the user's claim to the upstream layer (our internal tools/dashboards) as http header? Is it possible?

Regards, Agung

UPDATED

I've tried with the suggestion here, here's the snippet of my /etc/apache2/sites-available/000-default.conf 

<VirtualHost *:443>
ServerName my-host-name
UseCanonicalName on
ProxyPreserveHost on
DocumentRoot /var/www/html


# Pass the user's claim as http headers
OIDCPassClaimsAs "headers"
OIDCPassUserInfoAs "claims"
OIDCPassRefreshToken "On"
<Location />
  AuthType openid-connect

  <RequireAll>
    Require claim email~^(.*)@domain.com$
    Require claim email_verified:true
  </RequireAll>


  ProxyPass http://echo-server.default.svc.cluster.local:8080/
  ProxyPassReverse http://echo-server.default.svc.cluster.local:8080/
  LogLevel debug

</Location>
</VirtualHost>

I am using echoserver (gcr.io/google_containers/echoserver:1.0) as the backend of http://echo-server.default.svc.cluster.local:8080, and it doesn't print any user's claim as http headers. Is there any misconfiguration on my part? How to debug this problem?

Solution

  • That's what the module does by default: it will pass the user's claims in both environment variables and headers, which can be configured with OIDCPassClaimsAs as documented in: https://github.com/zmartzone/mod_auth_openidc/blob/v2.3.8/auth_openidc.conf#L668

    # Define the way in which the claims and tokens are passed to the application environment:
# "none": no claims/tokens are passed
# "environment": claims/tokens are passed as environment variables
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
# When not defined the default is "both"
# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
#OIDCPassClaimsAs [none|headers|environment|both]

    Note that those headers are added to the backend HTTP request that is propagated to the application so you won't see them in a browser.