oauth2: token could not be verified even with a valid token

[walidbenhammouda]

hello there,
I am in may last step to validate the token against an application behind an internal IDP but the oauth2 module is not helping as it is rejecting it even with a successful POST. see below the logs:

[Wed Mar 22 00:09:21.182709 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/http.c(980): [client 127.0.0.1:42836] oauth2_http_call: enter: url=https://someURL/rest/1.0/idptoken/validatetoken, data=token=sometoken&token_type_hint=access_token&access_token=sometoken, ctx=[ ssl_verify=false hdr
=[ Content-Type=application/x-www-form-urlencoded ] cookie=[ ] ]
[Wed Mar 22 00:09:22.451652 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/http.c(1102): [client 127.0.0.1:42836] oauth2_http_call: HTTP response code=200
[Wed Mar 22 00:09:22.452391 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/http.c(1121): [client 127.0.0.1:42836] oauth2_http_call: leave [1]: {"login_name":"apiname","firm_name":
"firm","expires_in":1679458523016,"issuer":"firm","client_id":"firm_id"}
[Wed Mar 22 00:09:22.452429 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/oauth2.c(399): [client 127.0.0.1:42836] _oauth2_introspect_verify: leave: 0
[Wed Mar 22 00:09:22.452433 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/oauth2.c(877): [client 127.0.0.1:42836] oauth2_token_verify: leave: 0
[Wed Mar 22 00:09:22.452437 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/server/apache.c(368): [client 127.0.0.1:42836] oauth2_apache_return_www_authenticate: enter
[Wed Mar 22 00:09:22.452443 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/server/apache.c(460): [client 127.0.0.1:42836] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="inva
lid_token", error_description="Token could not be verified."
[Wed Mar 22 00:09:22.452447 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/server/apache.c(392): [client 127.0.0.1:42836] oauth2_apache_return_www_authenticate: leave
[Wed Mar 22 00:09:22.452449 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/mod_oauth2.c(144): [client 127.0.0.1:42836] oauth2_request_handler: leave
[Wed Mar 22 00:09:22.452738 2023] [oauth2:debug] [pid 1542189:tid 140341422778112] src/server/apache.c(335): [client 127.0.0.1:42836] oauth2_apache_request_context_free: dispose request context: 0x
7fa3c40400f0

could you please help to understand that behavior
PS: remote_user_claim=login_name

2-
the second issue is with this library, mod_oauth2 and I guess it is the fault of our internal IDP, can we force the token name in the post parameter? and how? as you may see above I have added access_token in the body to test the library, but I guess you will suggest to use the library [mod_auth_openidc]

thanks again for the help!

[zandbelt]

the introspection response is missing the active boolean claim with value true that is required by RFC 7662, see https://www.rfc-editor.org/rfc/rfc7662#section-2.2; I have added error logs in OpenIDC/liboauth2@41a600e to clarify this situation ; you can set the post parameter name by adding OAuth2AcceptTokenIn post name=<token_name>

[walidbenhammouda]

Hello Zandbelt and thank you for adding the details to the error logs. I am checking with my internal IDP team.

for my second point I was talking about sending POST TO the introspect URL. like this parameter that exists in mod_auth_openidc:

OIDCOAuthIntrospectionTokenParamName

is there an equivalent for mod_oauth2? from the logs it seems hard coded. can you please share the standard link for that?

thank you so much

[zandbelt]

no, RFC 7662 requires token as the parameter name, see: https://www.rfc-editor.org/rfc/rfc7662#section-2.1

[walidbenhammouda]

thanks so much I am closing this topic all clear!

[drzraf]

But Google uses access_token and OIDCOAuthIntrospectionTokenParamName was thus very handy (= absolutely necessary) for such a scenario (where users are authenticated against Google pseudo-OIDC implementation)