OIDCRemoteUserClaim match and replace not working on some claims
dBucik opened this issue · comments
Dominik František Bučík commented
Hey all,
I've been trying to debug why my REMOTE_USER is not set, and it seems that replacing using regexes works only on some claims.
Imagine, that the OP releases these claims:
name: "Dominik František Bučík"
preferred_username: "dbucik"
When I try to set the REMOTE_USER using the following, it works for the name
, but does not for preferred_username
:
OIDCRemoteUserClaim name ^(.*)$ $1@test.com
OIDCRemoteUserClaim preferred_username ^(.*)$ $1@test.com
In the case of the preferred_username
, I get these messages in debug log:
[auth_openidc:error] [pid ...] [client...] oidc_get_remote_user: oidc_util_regexp_substitute failed: unknown error could not match string [dbucik] using pattern [^(.*)$] and replace matches in [$1@test.com], referer: ...
[auth_openidc:error] [pid ...] [client...] oidc_set_request_user: OIDCRemoteUserClaimis set to "preferred_username", but could not set the remote user based on the requested claim "preferred_username" and the available claims for the user, referer: ...
[auth_openidc:error] [pid ...] [client...] oidc_handle_authorization_response: remote user could not be set, referer: ...
Full configuration of VirtualHost:
OIDCProviderMetadataURL "https://my-op.org/.well-known/openid-configuration"
OIDCClientID "client_id"
OIDCClientSecret "secret"
OIDCRedirectURI "/oauth2/callback"
OIDCScope "openid profile email"
OIDCCryptoPassphrase "secret"
OIDCCookiePath "/"
# OIDCRemoteUserClaim preferred_username ^(.*)$ $1@test.com
OIDCRemoteUserClaim name ^(.*)$ $1@test.com
<Location /oauth2/callback>
#non-existent location for returning from OIDC server
AuthType openid-connect
Require valid-user
</Location>
<Location />
AuthType openid-connect
Require valid-user
ProxyPass uwsgi://localhost:8083/
ProxyPassReverse uwsgi://loclahost:8083/
</Location>
I am running the following versions:
OS: Debian 10 (buster)
apache2 2.4.38-3+deb10u7
libapache2-mod-auth-openidc 2.4.11.3-1~buster+1
Any idea what might be going on?