401 Unauthorized after session was ended by IdP

[xrammit]

Hi everybody,

I'm experiencing a problem with mod_auth_openidc (2.4.14.2) in combination with Keycloak (21.1.2). I can reproduce the problem with the following steps:

1. Browse to my web service protected by mod_auth_openidc.
2. I get redirected to my Keycloak instance to login as expected.
3. After I successfully authenticated to Keycloak I get redirected to my web service as expected.
4. End the active Keycloak session on the Keycloak account UI.
5. After waiting a few minutes, when I try to access my web service (HTTP GET request) I always receive HTTP error 401 Unauthorized but don't get redirected to Keycloak to re-authenticate as I would've expected.

I attached a debug log below that shows that the module tries to refresh the claims from the user info endpoint and receives status code 401. Then it tries to refresh the access token with the refresh token and receives status code 400 as the Keycloak session is no longer active. To me it looks like the module does not handle the response of that second request properly.

My question now is, are my expectations regarding the redirection of the user wrong at this point or is there an issue with my configuration or the module?

My mod_auth_openidc apache configuration (replaced some sensitive values):

OIDCCryptoPassphrase SENSITIVE
OIDCUserInfoRefreshInterval 60

OIDCProviderMetadataURL https://auth.example.com/realms/example.com/.well-known/openid-configuration
OIDCRedirectURI https://app.example.com/redirect_uri
OIDCXForwardedHeaders X-Forwarded-Host
OIDCSessionInactivityTimeout 3600
OIDCClientID myapp
OIDCClientSecret SENSITIVE
OIDCRemoteUserClaim email
OIDCScope "openid email"

<Location />
  AuthType openid-connect
    Require claim resource_access.myapp.roles:EXTERNAL_USER
    Require claim resource_access.myapp.roles:USER
</Location>

Log messages during of mod_auth_openidc module with level "debug" (replaced some sensitive values):

mod_auth_openidc_debug.log

[zandbelt]

this is expected behaviour; since the userinfo claims cannot be refreshed, those claims are removed from the session and subsequent authorization based on those claims will fail with a 401; you could change that behaviour with OIDCUnAuthzAction auth https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.14.2/auth_openidc.conf#L952-L957 to redirect for authentication but that unfortunately has limitations due to Apache's internals and is restricted to a single Require statement

[zandbelt]

I do realize that there's room for additional options since the access token error happens before the authorization phase, in the authentication phase where it is still possible to reauthenticate the user; so I added e7d85e7 which allows you to use

OIDCUserInfoRefreshInterval 60 authenticate_on_error

to achieve the behaviour that you are looking for

[xrammit]

Thank you for the quick reply and the helpful suggestions! As you proposed I added OIDCUserInfoRefreshInterval 60 authenticate_on_error to my configuration and it works now as I expect it to work in case of an ended IdP session.