2

I am using mod_auth_openidc with Apache and varnish catch reverse proxy in front of Grafana to offload SSO OAuth2; once I login, after sometime I get the below fetch error, as I investigated the issue; found that the OAuth token gets expired and mod_auth_openidc is not able to refresh the token; I was able to trace the flow

Failed to fetch dashboard
NetworkError when attempting to fetch resource.

mod_auth_openidc token refresh flow

  1. Token gets expired and the http get call is redirected to oauth server with HTTP 302
  2. The redirection fails with http 403 error HTTP Options method is used instead of get or post

Firefox network flow --

enter image description here

And if the Browser is refreshed and full page gets loaded everything is fine, strange

  1. The mod_auth_openidc redirection to oauth server with http 302
  2. The token gets refreshed and oauth server redirects to the application with http 302
  3. The page gets loaded with http 200

Firefox network flow --

enter image description here

Seems like the OAuth Server is not processing the HTTP Option method; I tried to disable at Apache level using 'Require method GET POST' then mod_auth_openidc did not work; Any points or help is appreciated

-- Thank you

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
Varadharajan Nadar
  • 357
  • 1
  • 2
  • 11
  • That's really not how OIDC auth proxy should implement token refresh. Refresh token should be used for token refresh. But to do that app must call refresh - see doc https://github.com/zmartzone/mod_auth_openidc/wiki/Access-Tokens-and-Refresh-Tokens Weird implementation. I don't know why you need to offload SSO. Grafana has quite good OIDC implementation and this mod_auth_openidc doesn't seems to be a good fit for this use case. – Jan Garaj Oct 16 '20 at 19:13
  • Thank you, we could not map users to role so we are using mod_auth_openidc and Varnish to extract the emailID; I am facing the issue "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource" due to which the OAuth request is failing; I did add 'Access-Control-Allow-Origin: *' on the server but still the OAuth request is failing – Varadharajan Nadar Oct 18 '20 at 18:19

1 Answers1

1

Thank you, I was able to resolve the issue with a workaround.

The issue was due to XHRs Request was getting Blocked(cors), as the OAuth server is in different domain

Changing the OIDCSessionInactivityTimeout to 24hrs worked and resolved the issue

Below link provides the full inside and configuration

https://github.com/zmartzone/mod_auth_openidc/issues/220

Varadharajan Nadar
  • 357
  • 1
  • 2
  • 11