I've missed something very basic in how mod_auth_openidc works.
I'm using Keycloak, and if I do a curl request to get a token (in other words, I log in with a username and password), then I get back a JWT. Part of the JWT payload contains:
"openid-connect" : {
"roles": ["role-1", "role-2", ..."role-n"]
}
mod_auth_openidc is presumably doing the same request, and getting back the same JWT. However, none of this is being passed on to my app. All I can see is the session Cookie (mod_auth_openidc_session), but there are no OIDC headers or env variables.
What have I missed - how do I persuade mod_auth_openidc to send the Keycloak roles (or anything else) on to the app?
I figured it out. I was testing using the minimal PHP app on the wiki. In my Apache config, I was allowing unauthorised access to this test page:
<Location /oidctest.php>
Require all granted
</Location>
This doesn't work; mod_auth_openidc sees that no claims are required, and doesn't supply any. If I change the require to something more realistic:
Require claim "resource_access.openid-connect.roles:role-3"
then everything springs into life: the PHP test page shows lots of claims. With require all granted, nothing was passed: not even the REMOTE_USER, so the test page just showed "Hello,", rather than "Hello, [email address]".