OIDC 使用 auth_openidc_module 登录,未获取任何包含 userinfo 的 cookie

问题描述 投票:0回答:1

我想使用 apache 设置 OIDC 模块来保护我的应用程序。 Okta 是我的 OP。我确实获得了登录页面,并且已正确重定向到应用程序(我目前仅在本地托管)。但我无法获取有关登录用户的信息。在开发过程中的某个时刻,我发现了一个 cookie“ln”,它为我提供了用户登录信息,但此后他就消失了。我现在唯一的 cookie 是“mod_auth_openidc_session”。

这里缺少什么?

<VirtualHost *:80>

    ServerName docker.appname

    <IfModule mod_deflate.c>
        SetOutputFilter DEFLATE
        DeflateCompressionLevel 9
    </IfModule>

    <Location />
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/xml
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE image/svg+xml
        AddOutputFilterByType DEFLATE application/xhtml+xml
        AddOutputFilterByType DEFLATE application/xml
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/atom_xml
        AddOutputFilterByType DEFLATE application/x-javascript

        AuthType openid-connect
        Require valid-user

        Header append Vary User-Agent env=!dont-vary
    </Location>


    <IfModule mod_headers.c>
        Header set Content-Security-Policy <long list of policies>
        Header always append X-Frame-Options SAMEORIGIN
        Header set X-XSS-Protection "1; mode=block" 
        Header set X-Content-Type-Options "nosniff"  
        Header always set Strict-Transport-Security "max-age=15768000"
        Header unset X-Powered-By
        Header set Server ""
    </IfModule>

    ProxyPass /api/ http://back:8080/app-service/api/ connectiontimeout=5 timeout=36000
    ProxyPassReverse /api/ http://back:8080/app-service/api/
    ProxyTimeout 600
    ProxyPass /api/ !
    ProxyPass / http://front:4200/
    ProxyPassReverse / http://front:4200/
    ProxyPreserveHost On

    OIDCSSLValidateServer Off
    OIDCProviderMetadataURL https://<issuer-url>/.well-known/oauth-authorization-server
    OIDCProviderIssuer https://<issuer-url>
    OIDCClientID <client-id>
    OIDCClientSecret <client-secret>
    OIDCRedirectURI http://localhost/login/callback
    OIDCCryptoPassphrase <randomCryptoPassPhrase>
    OIDCCookiePath /
    OIDCScope "openid email profile"
    OIDCInfoHook userinfo
    OIDCRemoteUserClaim email
    OIDCAuthNHeader email
</VirtualHost>
apache okta
1个回答
0
投票

在我的例子中,我能够让用户在顶层设置这些设置(在任何目录或位置块之外:

OIDCRemoteUserClaim upn ^(.*)@(.*) $1
Header Set Oidc-User %{REMOTE_USER}e

您可能只需要 OIDCRemoteUserClaim 之后的第一个参数(对我来说是 upn)

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.