requiring multiple claims with multi OP setup

Question

requiring multiple claims with multi OP setup

zandbelt opened this issue 2 years ago · comments

Discussed in #770

^{Originally posted by rajeevn1 January 16, 2022}
I am using 2.4.10-1~bullseye+1 release from github with multiple providers (google, globus, gitlab).

The following works

<RequireAll>
# Require not claim email_verified:false
Require claim email~^(test1@gmail.com|test2@gmail.com)$
</RequireAll>

but when I un-comment the claim for email_verified, the authentication always fails. I have confirmed that email_verified claim, as provided by OP, is either set to true (google, gitlab), or is missing (globus).

The issue does not exist if I use any single provider setup.

I would appreciate any help in resolving the issue.

Hans Zandbelt · Answer 1 · Sun Jan 23 2022 02:11:47 GMT+0800 (China Standard Time)

@rajeevn1 would you be able to test a fix by building from source?

rajeevn1 · Answer 2 · Sun Jan 23 2022 02:55:33 GMT+0800 (China Standard Time)

@zandbelt yes, I should be able to.

Hans Zandbelt · Answer 3 · Sun Jan 23 2022 03:13:49 GMT+0800 (China Standard Time)

please try this branch: https://github.com/zmartzone/mod_auth_openidc/tree/fix_discovery_require_all_authz

rajeevn1 · Answer 4 · Sun Jan 23 2022 21:11:55 GMT+0800 (China Standard Time)

I am getting a different error now, I am not sure if it is a problem with my build.

The original problem of multiple claims with multi OP setup works, but only when the email claim is not a regexp. If it is a regexp then it fails.

Not working log.
nb.txt

Working log:
ng.txt

Hans Zandbelt · Answer 5 · Sun Jan 23 2022 22:17:37 GMT+0800 (China Standard Time)

that seemed to be different issue with regular expressions, which should be fixed now on the same branch; please confirm

rajeevn1 · Answer 6 · Sun Jan 23 2022 23:16:12 GMT+0800 (China Standard Time)

now it works when OIDCDiscoverURL is not defined (it shows internal page), but with OIDCDiscoverURL defined to a custom URL it just shows a blank page.

Hans Zandbelt · Answer 7 · Sun Jan 23 2022 23:22:22 GMT+0800 (China Standard Time)

sorry, that was an oversight in the earlier patch, corrected that now

rajeevn1 · Answer 8 · Sun Jan 23 2022 23:39:10 GMT+0800 (China Standard Time)

It works for me now.
Thank you.

Hans Zandbelt · Answer 9 · Tue Mar 22 2022 02:36:51 GMT+0800 (China Standard Time)

I had to revert some changes: @rajeevn1 can you please confirm that 3f082c1 still works for you?

rajeevn1 · Answer 10 · Wed Mar 23 2022 20:29:59 GMT+0800 (China Standard Time)

It still works for me. Thanks.