Introspection incompatability with mod_auth_openidc

By: Dan Seibert user 01 Apr 2016 at 2:38 a.m. CDT

6 Responses
Dan Seibert gravatar
I am trying to use gluu with Apache 2.4. I am experiencing an issue when mod_auth_openidc is trying to call gluu rest service to perform token introspection. The problem is with the type of Authorization headers. mod_auth_openidc calls the gluu .../introspect REST service with a Basic Auth header containing the clientID and client secret, for username/password. However, gluu's InstrospectionWebService is expecting the Authorization header to contain a oauth20 bearer token.
None
closed

Answers

By Mohib Zico staff 01 Apr 2016 at 3:23 a.m. CDT

Copy
Mohib Zico gravatar
Dan, Can you please share stack trace from your Gluu Server?

By Aliaksandr Samuseu staff 01 Apr 2016 at 6:53 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
I'm not sure it can be perceived as an issue of Gluu. For example, [oAuth 2.0 Introspection spec](https://tools.ietf.org/html/rfc7662) in its own example of introspection request uses bearer token for authorization: [link](https://tools.ietf.org/html/rfc7662#section-2.1). Though it also allows to use Basic Auth header too. I also see that `mod_auth_openidc` allows 2 methods of querying the endpoint (per [this doc](https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf)) # Authentication method for the OAuth 2.0 Authorization Server introspection endpoint, # Must be either "client_secret_basic" or "client_secret_post"; when not defined "client_secret_basic" is used. Have you tried to explicitly configure it to use the `client_secret_post` method? Mb it will send Bearer token in that case? Update: ..though from the context it doesn't seem so, it probably will send the client credentials in the body of POST request this way. Mb it worth to create an "enhancement" request at Gluu's github asking to add this as a feature in future releases (i.e. using client credentials to authorize introspection request)

By Michael Schwartz Account Admin 01 Apr 2016 at 1:02 p.m. CDT

Copy
Michael Schwartz gravatar
Why is mod_auth_oidc calling the introspection endpoint? That's not part of the openid connect standard? Introspection is not needed. We only want to support mod_auth_oidc for its openid connect features, not proprietary OAUth2 features. Can you provide the configuration for your mod_auth_oidc client that you are trying to test?

By Yuriy Zabrovarnyy staff 01 Apr 2016 at 3:20 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Gluu implementation of introspection endpoint sticks to access_token to protect endpoint. access_token can by obtained with any client authentication type (client credentials or any other connect type), exactly in the same ways as it shown on the example of introspection specification. We do not support passing of client authentication information directly to endpoint.

By William Lowe user 01 Apr 2016 at 3:44 p.m. CDT

Copy
William Lowe gravatar
We've [opened an issue](https://github.com/GluuFederation/oxAuth/issues/198) for this on GitHub. Thanks.

By Michael Schwartz Account Admin 01 Apr 2016 at 4:21 p.m. CDT

Copy
Michael Schwartz gravatar
See my comments from above... Why is mod_auth_oidc calling the introspection endpoint? That's not part of the openid connect standard? Introspection is not needed. We only want to support mod_auth_oidc for its openid connect features, not proprietary OAUth2 features. Can you provide the configuration for your mod_auth_oidc client that you are trying to test? I closed the issue on github unless Dan can provide the exact use case.

Post an answer