Skip to content

Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope #42

New issue
New issue
Closed
Closed
Access control <RequireAny> sets WWW-Authenticate header - insufficient_scope#42
@ErmakovDmitriy

Description

@ErmakovDmitriy
ErmakovDmitriy
opened on Jan 20, 2023

We use Apache 2.4, mod_oauth 3.3.0.

In the Apache configuration we have access control configuration as below:

# Any of the audiences will be allowed.
<RequireAny>
  Require oauth2_claim 'aud:kubepie'
  Require oauth2_claim 'aud:jupyterhub'
  Require oauth2_claim 'aud:jupyterhub-review'
</RequireAny>

When we get access to the protected directory (Apache autoindex) using a valid bearer token, we get access but the response contains plenty of header as below:

< www-authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."

Corresponding debug logs:

[Fri Jan 20 15:21:11.548245 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548263 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:kubepie
[Fri Jan 20 15:21:11.548266 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548268 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548287 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=kubepie, key=aud
...
[Fri Jan 20 15:21:11.548319 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(366): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: enter
[Fri Jan 20 15:21:11.548322 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(458): [client 192.168.20.17:0] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Fri Jan 20 15:21:11.548325 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(390): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: leave
[Fri Jan 20 15:21:11.548327 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(232): [client 192.168.20.17:0] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Fri Jan 20 15:21:11.548330 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548331 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:kubepie': denied
[Fri Jan 20 15:21:11.548334 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548353 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:jupyterhub
[Fri Jan 20 15:21:11.548355 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548357 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548365 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=jupyterhub, key=aud
[Fri Jan 20 15:21:11.548366 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "sub"
...
[Fri Jan 20 15:21:11.548398 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(366): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: enter
[Fri Jan 20 15:21:11.548400 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(458): [client 192.168.20.17:0] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Fri Jan 20 15:21:11.548402 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(390): [client 192.168.20.17:0] oauth2_apache_return_www_authenticate: leave
[Fri Jan 20 15:21:11.548404 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(232): [client 192.168.20.17:0] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Fri Jan 20 15:21:11.548407 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548408 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:jupyterhub': denied
[Fri Jan 20 15:21:11.548410 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(211): [client 192.168.20.17:0] oauth2_authz_checker: enter
[Fri Jan 20 15:21:11.548428 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1024): [client 192.168.20.17:0] oauth2_apache_authorize: evaluating claim/expr specification: aud:jupyterhub-review
[Fri Jan 20 15:21:11.548431 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "exp"
[Fri Jan 20 15:21:11.548433 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(927): [client 192.168.20.17:0] oauth2_apache_authz_match_claim: evaluating key "iat"
...
[Fri Jan 20 15:21:11.548441 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(839): [client 192.168.20.17:0] oauth2_apache_authz_match_value: matching: spec_c=jupyterhub-review, key=aud
[Fri Jan 20 15:21:11.548443 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/server/apache.c(1029): [client 192.168.20.17:0] oauth2_apache_authorize: require claim/expr 'aud:jupyterhub-review' matched
[Fri Jan 20 15:21:11.548446 2023] [oauth2:debug] [pid 7:tid 140689342269184] src/mod_oauth2.c(240): [client 192.168.20.17:0] oauth2_authz_checker: leave
[Fri Jan 20 15:21:11.548448 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of Require oauth2_claim 'aud:jupyterhub-review': granted
[Fri Jan 20 15:21:11.548450 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAny>: granted
[Fri Jan 20 15:21:11.548451 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAll>: granted
[Fri Jan 20 15:21:11.548453 2023] [authz_core:debug] [pid 7:tid 140689342269184] mod_authz_core.c(815): [client 192.168.20.17:0] AH01626: authorization result of <RequireAny>: granted

It seems that this issue might have been fixed in OpenIDC/mod_auth_openidc@8ed00cc but was not propagated to the OAuth2 module.

Could you, please, take a look at it and fix or recommend a solution for us?

/cc @manfuin

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions