200 response with an embedded 401 for user info

[adenix]

We have mod_auth_openidc implemented at scale with a shared redis cache. Everything has been working great until our IdP vendor updated their userinfo endpoint to return 401 on expired access_token instead of 403. We now are seeing odd behavior at end of session. The access_token is getting refreshed but the userinfo is returned as an embedded 401. My theory is that the new status code is causing the error response to be cached.

LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCDefaultURL https://insight-meechum.prod.netflix.net
OIDCInfoHook access_token access_token_expires refresh_token userinfo
OIDCProviderMetadataURL https://meechum.netflix.com/.well-known/openid-configuration
OIDCClientID insight_meechum
OIDCClientSecret ${meechum_secret}
OIDCRedirectURI https://insight-meechum.prod.netflix.net/meechum
OIDCCryptoPassphrase <REDACTED>
OIDCScope <REDACTED>
OIDCPassClaimsAs headers
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCPassRefreshToken Off
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
OIDCUnAuthAction auth
OIDCScrubRequestHeaders On
OIDCCacheType redis
OIDCOAuthVerifyJwksUri https://meechum.netflix.com/ext/oauth/nflxJwTDefault/jwks
OIDCUserInfoRefreshInterval 900
OIDCRedisCacheServer <REDACTED>
OIDCHTMLErrorTemplate /apps/meechum/error.html

[zandbelt]

what version of mod_auth_openidc are you on?

[adenix]

Looks like 2.3.8 for this specific service. Running an older OS Ubuntu 18.04.6 LTS(bionic).

[zandbelt]

upgrading to a recent release should solve this issue then: it will check for a "sub" claim

[adenix]

Do you know what version is the threshold for this issue? We upgrade to 2.4.11-1 in our Ubuntu Jammy OS.

[zandbelt]

seems to be 2.4.5

[adenix]

No longer seeing the 401 embedded response on refresh but now the userinfo is being completly omitted on refresh.

[adenix]

Looks like its successfully refreshing the AT, successfully getting the user info with a sub claim, then trying refresh the AT again with the old RT, and getting an error as it should.

auth_openidc.error.log

[zandbelt]

that appears to be a bug indeed; would you be able to test a fix from https://mod-auth-openidc.org/downloads/libapache2-mod-auth-openidc_2.4.14.3rc2-1.bionic_amd64.deb and https://www.mod-auth-openidc.org/downloads/libapache2-mod-auth-openidc_2.4.14.3rc2-1.jammy_amd64.deb?

[adenix]

Testing, I'll get back with the results 🙇

[adenix]

Sorry for the delay. Initial testing didn't go as expected. I'm planning to do more testing today.

[adenix]

@zandbelt testing finished and the RC is behaving as expected

[adenix]

@zandbelt Do you have an idea of when this will make it into a full release? I'm just wanting to set expectations internally.

[zandbelt]

the release schedule is driven by our commercial support customers (hint ;-))

[adenix]

@zandbelt That makes sense for a feature request, but this is a bug fix. Do you have any idea when this will be released?