Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope #42

Closed
ErmakovDmitriy opened this issue Jan 20, 2023 · 4 comments
Closed

Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope #42

ErmakovDmitriy opened this issue Jan 20, 2023 · 4 comments

Comments

@ErmakovDmitriy
Copy link

We use Apache 2.4, mod_oauth 3.3.0.

In the Apache configuration we have access control configuration as below:

# Any of the audiences will be allowed.
<RequireAny>
  Require oauth2_claim 'aud:kubepie'
  Require oauth2_claim 'aud:jupyterhub'
  Require oauth2_claim 'aud:jupyterhub-review'
</RequireAny>

When we get access to the protected directory (Apache autoindex) using a valid bearer token, we get access but the response contains plenty of header as below:

< www-authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."

Corresponding debug logs:

[Fri Jan 20 15:21:11.548245 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548263 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:kubepie
[Fri Jan 20 15:21:11.548266 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548268 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548287 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=kubepie, key=aud
...
[Fri Jan 20 15:21:11.548319 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(366): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: enter
[Fri Jan 20 15:21:11.548322 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(458): [client 192.168.20.17:0] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Fri Jan 20 15:21:11.548325 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(390): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: leave
[Fri Jan 20 15:21:11.548327 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(232): [client 192.168.20.17:0] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Fri Jan 20 15:21:11.548330 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548331 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:kubepie': denied
[Fri Jan 20 15:21:11.548334 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548353 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:jupyterhub
[Fri Jan 20 15:21:11.548355 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548357 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548365 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=jupyterhub, key=aud
[Fri Jan 20 15:21:11.548366 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "sub"
...
[Fri Jan 20 15:21:11.548398 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(366): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: enter
[Fri Jan 20 15:21:11.548400 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(458): [client 192.168.20.17:0] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Fri Jan 20 15:21:11.548402 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(390): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: leave
[Fri Jan 20 15:21:11.548404 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(232): [client 192.168.20.17:0] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Fri Jan 20 15:21:11.548407 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548408 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:jupyterhub': denied
[Fri Jan 20 15:21:11.548410 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548428 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:jupyterhub-review
[Fri Jan 20 15:21:11.548431 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548433 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548441 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=jupyterhub-review, key=aud
[Fri Jan 20 15:21:11.548443 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1029): [client 192.168.20.17:0] oauth2_apache_authorize: require claim/expr 'aud:jupyterhub-review' matched
[Fri Jan 20 15:21:11.548446 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548448 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:jupyterhub-review': granted
[Fri Jan 20 15:21:11.548450 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAny>: granted
[Fri Jan 20 15:21:11.548451 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAll>: granted
[Fri Jan 20 15:21:11.548453 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAny>: granted

It seems that this issue might have been fixed in OpenIDC/mod_auth_openidc@8ed00cc but was not propagated to the OAuth2 module.

Could you, please, take a look at it and fix or recommend a solution for us?

/cc @manfuin
@zandbelt
Copy link
Member

that fix was propagated, but suffers from an error here:
https://github.com/zmartzone/liboauth2/blob/v1.4.5.2/src/server/apache.c#L459
instead of adding a header, it should overwrite the existing one, so the single header will correctly be removed here:
https://github.com/zmartzone/mod_oauth2/blob/v3.3.0/src/mod_oauth2.c#L230-L231

zandbelt added a commit to OpenIDC/liboauth2 that referenced this issue Jan 20, 2023
@zandbelt
1.4.5.3: don't add WWW-Authenticate header(s); OpenIDC/mod_oauth2#42
31cf194 
Signed-off-by: Hans Zandbelt <[email protected]>
@ErmakovDmitriy
Copy link
Author

Thank you for the fix! =)

For now, I get only 1 line with the error in the response (< www-authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required.") which does not break our HTTP load balancer.

I might have done something wrong but am I supposed to get even the one line despite the fact that the access is allowed? Anyway, one line should not be a problem for us, I think.

@zandbelt
Copy link
Member

hm, I thought it was quick to fix; I'll properly reproduce and fix it now, it is not supposed to be there when the overall access result is "allowed"

@zandbelt
Copy link
Member

I had to revert the patch from liboauth2 1.4.5.3 (pulled now) in 1.4.5.4 and released mod_oauth2 3.3.1 that solves this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zandbelt @ErmakovDmitriy