require two scopes and valid user

[schumischumi]

Hi we use the apache httpd as a reverse proxy (on port 5000) in front of a uvicorn fastapi app(on port 5050) . both are running in the same container.
the apache should to these things:

• validate the keycloak jwt
• validate the scope or at least the second scope

we have two problems:

• if the "Require valid-user" is set, the "Require claim scope..." is completely ignored
• if the "Require valid-user" is NOT set and more than one scope is used, the scope cant be validated

my questions are:

• do we need the "Require valid-user" or is the keycloak jwt validated anyway?
• how can we get both or at least the second scope "secondscope" validated?

here is the httpd conf:

<VirtualHost *:5000>
    OIDCOAuthVerifyJwksUri https://auth.test.corp.local/auth/realms/myrealm-nonprod/protocol/openid-connect/certs
    OIDCIDTokenIatSlack 3600
    OIDCScope "openid secondscope"  
    
	ProxyPreserveHost On
    ProxyPass /protected http://localhost:5050
    ProxyPassReverse /protected http://localhost:5050

    <Location /protected>
        AuthType oauth20
        # Require valid-user
        Require claim scope:openid secondscope
        # Require claim scope:"openid secondscope"
        # Require claim scope:openid
        # Require claim scope:secondscope
    </Location>
</VirtualHost> 

container log: httpd_container.log

[Mon Nov 22 15:27:03.246937 2021] [auth_openidc:debug] [pid 47:tid 140031419209472] src/mod_auth_openidc.c(4045): [client 172.17.0.1:33064] oidc_authz_checker: enter: require_args="scope:openid secondscope"
[Mon Nov 22 15:27:03.246955 2021] [auth_openidc:debug] [pid 47:tid 140031419209472] src/authz.c(446): [client 172.17.0.1:33064] oidc_authz_worker24: evaluating claim/expr specification: scope:openid
...
[Mon Nov 22 15:27:03.247126 2021] [auth_openidc:debug] [pid 47:tid 140031419209472] src/authz.c(63): [client 172.17.0.1:33064] oidc_authz_match_value: matching: spec_c=openid, key=scope
...
[Mon Nov 22 15:27:03.247147 2021] [auth_openidc:debug] [pid 47:tid 140031419209472] src/authz.c(446): [client 172.17.0.1:33064] oidc_authz_worker24: evaluating claim/expr specification: secondscope
...
[Mon Nov 22 15:27:03.247211 2021] [auth_openidc:debug] [pid 47:tid 140031419209472] src/mod_auth_openidc.c(3990): [client 172.17.0.1:33064] oidc_handle_unauthorized_user24: setting environment variable OIDC_OAUTH_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required"" for usage in mod_headers
[Mon Nov 22 15:27:03.247218 2021] [authz_core:debug] [pid 47:tid 140031419209472] mod_authz_core.c(820): [client 172.17.0.1:33064] AH01626: authorization result of Require claim scope:openid secondscope: denied
[Mon Nov 22 15:27:03.247222 2021] [authz_core:debug] [pid 47:tid 140031419209472] mod_authz_core.c(820): [client 172.17.0.1:33064] AH01626: authorization result of <RequireAny>: denied
[Mon Nov 22 15:27:03.247226 2021] [authz_core:error] [pid 47:tid 140031419209472] [client 172.17.0.1:33064] AH01631: user d8390220-2390-4ccd-aaa3-000000000000: authorization failure for "/protected": 
172.17.0.1 - d8390220-2390-4ccd-aaa3-000000000000 [22/Nov/2021:15:27:03 +0000] "GET /protected HTTP/1.1" 401 381 "-" "curl/7.75.0"
[Mon Nov 22 15:27:03.253925 2021] [ssl:debug] [pid 47:tid 140031410816768] ssl_engine_io.c(1112): [client 172.17.0.1:33064] AH02001: Connection closed to child 70 with standard shutdown (server localhost:5000)

[zandbelt]

you don't need Require valid-user, you can use <RequireAll> to require all scopes instead of the logical "or" that is the default, so something like:

<RequireAll>
  Require claim scope:openid
  Require claim scope:secondscope
</RequireAll>

should work, see: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html

[schumischumi]

edit: I really think the space between the scopes or that the two scopes that look like they are delivered as one are the problem.

thanks for your fast response.
I changed the config but now the first claim fails validation:

[Tue Nov 23 08:16:14.641007 2021] [authz_core:debug] [pid 46:tid 140513247426304] mod_authz_core.c(820): [client 172.17.0.1:40476] AH01626: authorization result of Require claim scope:openid: denied
[Tue Nov 23 08:16:14.641011 2021] [authz_core:debug] [pid 46:tid 140513247426304] mod_authz_core.c(820): [client 172.17.0.1:40476] AH01626: authorization result of <RequireAll>: denied
[Tue Nov 23 08:16:14.641015 2021] [authz_core:debug] [pid 46:tid 140513247426304] mod_authz_core.c(820): [client 172.17.0.1:40476] AH01626: authorization result of <RequireAny>: denied
[Tue Nov 23 08:16:14.641018 2021] [authz_core:error] [pid 46:tid 140513247426304] [client 172.17.0.1:40476] AH01631: user d8390220-2390-4ccd-aaa3-92c244b57b72: authorization failure for "/protected": 

the scopes getting passed in the jwt token and are delimited by a space and the module also receives it from the token:

[Tue Nov 23 08:16:14.640591 2021] [auth_openidc:debug] [pid 46:tid 140513247426304] src/oauth.c(639): [client 172.17.0.1:40476] oidc_oauth_validate_jwt_access_token: successfully verified JWT access token: {"exp":1637655676,"iat":1637655376,"jti":"4a572f0f-aa91-4bd8-b635-460ddbe0064e","iss":"https://auth.test.corp.local/auth/realms/myrealm-nonprod","sub":"d8390220-2390-4ccd-aaa3-92c244b57b72","typ":"Bearer","azp":"my-clientid","acr":"1","scope":"openid secondscope","clientHost":"my-ip","clientId":"my-clientid","secondscope":true,"clientAddress":"my-ip"}
[Tue Nov 23 08:16:14.640701 2021] [auth_openidc:debug] [pid 46:tid 140513247426304] src/util.c(2577): [client 172.17.0.1:40476] oidc_util_hdr_table_set: OIDC_CLAIM_scope: openid secondscope
[Tue Nov 23 08:16:14.640705 2021] [auth_openidc:debug] [pid 46:tid 140513247426304] src/util.c(1978): [client 172.17.0.1:40476] oidc_util_set_app_info: setting environment variable "OIDC_CLAIM_scope: openid secondscope"

keycloak.conf

<VirtualHost *:5000>
    OIDCOAuthVerifyJwksUri https://auth.test.corp.local/auth/realms/myrealm-nonprod/protocol/openid-connect/certs
    OIDCIDTokenIatSlack 3600
    OIDCScope "openid secondscope"  
    
	ProxyPreserveHost On
    ProxyPass /protected http://localhost:5050
    ProxyPassReverse /protected http://localhost:5050

    <Location /protected>
        AuthType oauth20
       <RequireAll>
              Require claim scope:openid
              Require claim scope:secondscope
       </RequireAll>
    </Location>
</VirtualHost> 

[schumischumi]

ah I think I found the solution here https://githubmemory.com/repo/zmartzone/mod_oauth2/issues/26
thanks @zandbelt of the past

if you have more than one scope and its delimited by a space, you have to use double quotes around "scope:" and the scopes
here is the config, just in case if my link will stop working in the future:

<VirtualHost *:5000>
    OIDCOAuthVerifyJwksUri https://auth.test.corp.local/auth/realms/myrealm-nonprod/protocol/openid-connect/certs
    OIDCIDTokenIatSlack 3600
    OIDCScope "openid secondscope"  
    
	ProxyPreserveHost On
    ProxyPass /protected http://localhost:5050
    ProxyPassReverse /protected http://localhost:5050

    <Location /protected>
        AuthType oauth20
        Require claim "scope:openid secondscope"
    </Location>
</VirtualHost> 

I will test it further and if it keeps working I will mark it as solution

[zandbelt]

for the record, that is a non-standard way of passing back scopes

[schumischumi]

I guess you are right, but sadly I can't change the way I get the scopes. Thank you very much for you help!