openid-connectremote-validationmod-auth-openidc

How can OpenID Connect utilize userinfo for authorization?


I'm utilizing mod_auth_openidc to front an API that has neither authentication nor authorization. The same endpoint also serves UI, so it has interactive and server-to-server queries hitting it. This is something the module has AuthType auth-openidc for. So the module acts as Resource Server in OAuth2.

When configuring this, I realized I accept access tokens from a password grant, so all my users have roles assigned to them and we don't really use scopes on the client ids. So, naturally, I want to restrict access to the endpoint via role like this:

<Location />
  AuthType auth-openidc
  OIDCOAuthIntrospectionEndpoint https://localhost/oauth2/introspect
  OIDCOAuthRemoteUserClaim sub
  OIDCOAuthClientID 1111
  OIDCOAuthClientSecret 2222
  Require claim roles:MYAPI_ACCESS
</Location>  

The validation endpoint is a stock RFC 7662 compliant box and the config is basically textbook example.

My twist is the Require authz. When using OAuth2 remote validation, openid-connect doesn't seem to look up the user info for the remote user, it just copies all attributes it gets from the /introspect endpoint and tries to match the Require against it.

My question is: how can I make openid-connect lookup the corresponding user info (via a call to an existing /userinfo endpoint) once it has the remote user?


Solution

  • You cannot make the module call the user info endpoint when acting as a OAuth 2.0 Resource Server. What you can do is map the relevant claims to the access token in your Provider.