I'm using the "mod_auth_openidc" of th Apache Reverse Proxy to do an OIDC authentication toward a remote identity provider ; (using the classic Authorization code flow). The authentication succeeds and I am correctly redirected to my application but the mod_auth_openidc cannot retrieve the user claims sent by the provider. In the Reverse proxy debug log I can read the following error message :
oidc_util_decode_json_object: JSON parsing returned an error: '[' or '{' expected near 'eyJhbGciOiJSUzI'”
The log contains the complete JWT token sent by the identity provider, and if I decode this signed token (on a online web site) ,it is correctly signed and encoded and I can retrieve the claims.
So, it seems that the auth_openidc_module reads this token as plain json text instead of decode it before.
What could be wrong in my Apache configuration and how can I fix this issue?
I found the solution.
My mistake was a typo case sensive in configuration:
to make decode the JWT Token when it is signed you must specify the parameter: “OIDCUserInfoSignedResponseAlg” with the corresponding algotithms (see : https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf
Since I was using multiple OpenID Connect Providers, my configuration was in an "OIDCMetadataDir" More accurately in a file named like “mydomain.fr%2Fapi.conf”. In this file the corresponding case must be like :
{
"userinfo_signed_response_alg" : "RS256"
}