我在example.org/portia/test上有一个由Nginx映射的容器,结构如下:
我想使用Apache的mod_auth_openidc插件添加OpenIdConnect身份验证,我想保护整个虚拟主机。
到目前为止,我在auth-example.org上访问了正确的登录页面,我使用我的凭据登录,auth服务器使用正确的URI重定向我。 Ngnix用400错误回答我。
request sent with a lot of cookies
auth服务器由mydomain.org内的几个应用程序使用,所以我猜我的Apache配置文件有问题。
为了清楚起见,我无法触摸Nginx或auth服务器confs。
apache_site.conf
<VirtualHost *:9001>
ServerAdmin webmaster@localhost
DocumentRoot /app/portiaui/dist
ServerName www.example.org
ServerAlias example.org
#ProxyRequests On
Alias /static /app/portiaui/dist
OIDCProviderMetadataURL https://www.auth-example.org/auth/realms/master/.wel$
OIDCRedirectURI https://example.org/portia/test/callback
OIDCCryptoPassphrase <much secret>
OIDCClientID portia
OIDCClientSecret <much private>
OIDCCookiePath example.org/portia/test/
OIDCCookieDomain example.org
<Location /static>
Require all granted
</Location>
<Location /api>
Require all granted
ProxyPass http://127.0.0.1:8000/api
ProxyPassReverse http://127.0.0.1:8000/api
ProxyPreserveHost On
</Location>
<Location /server_capabilities>
Require all granted
ProxyPass http://127.0.0.1:8000/server_capabilities
ProxyPassReverse http://127.0.0.1:8000/server_capabilities
ProxyPreserveHost On
</Location>
<Location /ws> # mod_proxy_wstunnel is enabled
RequestHeader set Host "127.0.0.1:9002"
ProxyPreserveHost On
ProxyPass http://127.0.0.1:9002/ws
ProxyPassReverse http://127.0.0.1:9002/ws
</Location>
<Location />
AuthType openid-connect
Require valid-user
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
OIDCCookiePath中的cookie路径设置只需要包含实际路径,而不是主机。事实上,我开始没有使用任何OIDCCookiePath或OIDCCookieDomain。
Hans Z.的答案建议我在相对路径上改变OIDCRedirectURI。
设置qazxswpo解决了问题:我的Apache实例不接收整个URL OIDCRedirectURI /callback,而只接收路径的最后部分。这是由于正面的Nginx实例。