I'm utilizing mod_auth_openidc to front an API that has neither authentication nor authorization. The same endpoint also serves UI, so it has interactive and server-to-server queries hitting it. This is something the module has AuthType auth-openidc for. So the module acts as Resource Server in OAuth2.
When configuring this, I realized I accept access tokens from a password grant, so all my users have roles assigned to them and we don't really use scopes on the client ids. So, naturally, I want to restrict access to the endpoint via role like this:
<Location />
AuthType auth-openidc
OIDCOAuthIntrospectionEndpoint https://localhost/oauth2/introspect
OIDCOAuthRemoteUserClaim sub
OIDCOAuthClientID 1111
OIDCOAuthClientSecret 2222
Require claim roles:MYAPI_ACCESS
</Location>
The validation endpoint is a stock RFC 7662 compliant box and the config is basically textbook example.
My twist is the Require authz. When using OAuth2 remote validation, openid-connect doesn't seem to look up the user info for the remote user, it just copies all attributes it gets from the /introspect endpoint and tries to match the Require against it.
My question is: how can I make openid-connect lookup the corresponding user info (via a call to an existing /userinfo endpoint) once it has the remote user?
You cannot make the module call the user info endpoint when acting as a OAuth 2.0 Resource Server. What you can do is map the relevant claims to the access token in your Provider.