Issue with authentication to secureauth OP

[cocampbe]

I need to preface this first. I do not know what I am doing. I have familiarity with apache and modules and some familiarity with oidc. I have an oracle linux 8 server running apache 2.4.37. I have the 2.4.9.4 version of mod_auth_openidc. I create a simple virtual host that points to a document root that has a folder called "protected". In that directory I have an index file with a basic html in it. I have configured the virtual host with what I believe to be the minumum amount of config to get this module working with secureauth. This is my apache conf (edited):

# OIDC
OIDCProviderMetadataURL https://secureauth.example.com/realm1234/.well-known/openid-configuration
OIDCClientID 4r43r43rferfrefeert45t
OIDCClientSecret 34r43rferfnerjgfnrgjk4gjrjgkrjngjrtgwjrg
OIDCRedirectURI https://server1.example.com/protected/redirect_uri
OIDCCryptoPassphrase ferkfm3oi4i43omi43rf
OIDCProviderTokenEndpointParams scope=openid


<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile "/etc/httpd/certs/server1.example.com.cert"
    SSLCertificateKeyFile "/etc/httpd/certs/server1.example.com.key"
    DocumentRoot /var/www/html/oidc
    LogLevel auth_openidc:debug

    <Location "/protected">
        AuthType openid-connect
        Require valid-user
    </Location>
</VirtualHost>

When I go to this site, https://server1.example.com/protected, I get redirected to secureauth. It then sends me back to https://server1.example.com/protected/redirect_uri with the code. I get this page displayed:

Error:

OpenID Connect Provider error: Error in handling response type.

In the error_log I can see there is a call to the oidctoken endpoint and it is using basic auth.

[Fri Jun 30 10:23:35.093568 2023] [auth_openidc:debug] [pid 535290:tid 140443585033984] src/util.c(800): [client ***********:53191] oidc_util_http_call: url=https://secureauth.example.com/realm1234/OidcToken.aspx, data=grant_type=authorization_code&code=blahblahah_long_token&redirect_uri=https%3A%2F%2Fserver1.example.com%2Fprotected%2Fredirect_uri&scope=openid, content_type=application/x-www-form-urlencoded, basic_auth=****, bearer_token=(null), ssl_validate_server=1, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null), referer: https://secureauth.example.com/
[Fri Jun 30 10:23:35.141816 2023] [auth_openidc:debug] [pid 535290:tid 140443585033984] src/util.c(993): [client ***********:53191] oidc_util_http_call: HTTP response code=200, referer: https://secureauth.example.com/
[Fri Jun 30 10:23:35.141922 2023] [auth_openidc:debug] [pid 535290:tid 140443585033984] src/util.c(998): [client ***********:53191] oidc_util_http_call: response=\r\n\r\n<!doctype html>\r\n<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->\r\n<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->\r\n<!--[if IE 8]>         <html class="no-js lt-ie9" lang="en"> <![endif]-->\r\n<!--[if gt IE 8]><!--> <html class="no-js" lang="en" ng-app="secureauth"> <!--<![endif]-->\r\n\r\n    <head id="Head1" data-view="UserIDView" data-state="INIT_LOGON">
.....
bunch of html
[Fri Jun 30 10:23:35.142293 2023] [auth_openidc:error] [pid 535290:tid 140443585033984] [client ***********:53191] oidc_util_decode_json_object: JSON parsing returned an error: '[' or '{' expected near '<' (\r\n\r\n<!doctype html>\r\n<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->\r\n<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->\r\n<!--[if IE 8]>         <html class="no-js lt-ie9" lang="en"> <![endif]-->\r\n<!--[if gt IE 8]><!--> <html class="no-js" lang="en" ng-app="secureauth">
...
bunch of html

The error oidc_util_decode_json_object: JSON parsing returned an error: makes sense since it's parsing html. I am not sure why I am getting this. And I am not sure how to resolve it. Hopefully someone can help with this. If more info is needed, let me know. We were kind of wondering if the issue is that it is using basic auth vs sending a bearer token. But, that's just me grasping at straws.

My expectation is that the oidc auth would work and I would see the index page. Maybe that is not how this module works.

[zandbelt]

the token endpoint errors out on the token request, the only thing that may be interfering here is OIDCProviderTokenEndpointParams, why was that added in the config?

[cocampbe]

A technician with secureauth said we needed to send the scope to the endpoint.

[cocampbe]

I changed OIDCResponseType to id_token and was able to access the page. It seems it's an issue with the "Authorization code" flow. Secureauth has a few flows, the one that is working is implicit.

[cocampbe]

We pointed the setup to an older version of secureauth and unset the OIDCResponseType, essentially setting it back to the default of "code". In this case it works. It seems that it mayh be a secureauth issue, or there is something extra I need to setup in the module. It's not clear yet.

[cocampbe]

I just wanted to close out this discussion. The issue was on the secureauth side. One issue was the endpoint has windows SSO enabled on it. We disabled that. And the other was an issue with the consent storage attribute that was set on the realm. If anything, this is confirmation that the module works with secureauth.