mod_auth_openidc get claims as http headers for public location (all granted)

Question

I have configured mod_auth_openidc on an apache 2.4 server. Everything is working ok for protected locations. For those resources the backend applications (PHP script or reverse proxied application) receive the claims as HTTP headers OIDC_xxx.

On this web server I also have public locations. Nevertheless if an authenticated user hits ones of those resource, I would also like to receive the OIDC headers.

My httpd config looks like

<Location /private>
   AuthType openid-connect
   <RequireAll>
      Require valid-user
      Require claim groups:B2C
   </RequireAll>
</Location>
<Location /public>
   AuthType openid-connect
   <RequireAny>
      Require valid-user
      Require all granted
   </RequireAny>
</Location>

The private location is well protected by the oidc provider and HTTP headers are pouplated. The public location can be reached by unauthenticated users (require all granted); but nevertheless is there a way to configure httpd and mod_auth_openidc to popûlate the headers for authenticated users hitting the public location. The above configuration does not do it in any case (no OIDC_ headers).

Thanks.

Answer 1

There's a way to configure this so-called "lazy sessions" by using:

OIDCUnAuthAction pass

in that particular location, see the docs for the OIDCUnAuthAction primitive:

Defines the action to be taken when an unauthenticated request is made.

"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
"401" means that HTTP 401 Unauthorized is returned.
"410" means that HTTP 410 Gone is returned.
"pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already.

Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access".
When not defined the default "auth" is used.

OIDCUnAuthAction [auth|pass|401|410]