Conditionally setting a header based on Roles #907

c1rdan · 2022-08-17T15:40:14Z

c1rdan
Aug 17, 2022

I have an apache 2.4 acting as reverse proxy for an application. I need to conditionally setup a header for the proxy based on the user roles, but I don't know how to use this inside an If statement.

As an example, this works appropriately:

<Location "/app">
    Require claim roles:app_reader
    RequestHeader set Authorization "Basic ${READER_TOKEN}"
</Location>

However, I need to do something like this:

<Location "/app">
    AuthType openid-connect
    Require valid-user
    <If "%{ENV:OIDC_CLAIM_roles} =~ /.*app_admin.*/">
        RequestHeader set Authorization "Basic ${ADMIN_TOKEN}"
    </If>
    <ElseIf "%{ENV:OIDC_CLAIM_roles} =~ /.*app_reader.*/">
        RequestHeader set Authorization "Basic ${READER_TOKEN}"
    </ElseIf>
</Location>

The latest doesn't work, as I'm not sure how to actually refer to the mod_auth_openidc expression. As reference I have OIDCPassClaimsAs both on the configuration.

I have confirmed with a toy phpinfo() that OIDC_CLAIM_roles is being passed as both header and env. I also tried to use an -n instead of the regex to confirm that's not the problem. The env/regex doesn't appear to be defined on the section.

Any suggestions on which is the proper way of doing this?

Answered by zandbelt

Aug 17, 2022

I don't think that is possible since it appears that <If> statements are processed before authentication happens, see https://httpd.apache.org/docs/current/expr.html#vars
I'd suggest to change the app to read the OIDC roles header rather than the Authorization header.

View full answer

zandbelt · 2022-08-17T17:36:50Z

zandbelt
Aug 17, 2022
Maintainer

I don't think that is possible since it appears that <If> statements are processed before authentication happens, see https://httpd.apache.org/docs/current/expr.html#vars
I'd suggest to change the app to read the OIDC roles header rather than the Authorization header.

3 replies

c1rdan Aug 17, 2022
Author

Sadly I cannot control the application. I could put another proxy in the middle just to handle this, but feels inadequate.

Can you imagine another way of achieving the same thing? I know it's not fully related to mod_auth_openidc by now, but I'm out of ideas.

zandbelt Aug 17, 2022
Maintainer

cook up an apache expression within the RequestHeader primitive like this one:

    RequestHeader set Authorization "Basic admintoken" "expr=reqenv('OIDC_CLAIM_email')=='[email protected]'"

that evaluates roles and sets the header based on that; this way you'd avoid using <If> since that expression is evaluated late/realtime

you can have 2 of those, slightlly more complex because you're doing a "flattened array" comparison

c1rdan Aug 17, 2022
Author

That's a brilliant idea!! Thank you very much ❤️. I have just tested it and appears to do exactly what I need.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Conditionally setting a header based on Roles #907

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Conditionally setting a header based on Roles #907

Uh oh!

Uh oh!

c1rdan Aug 17, 2022

Replies: 1 comment · 3 replies

Uh oh!

zandbelt Aug 17, 2022 Maintainer

Uh oh!

c1rdan Aug 17, 2022 Author

Uh oh!

Uh oh!

zandbelt Aug 17, 2022 Maintainer

Uh oh!

c1rdan Aug 17, 2022 Author

c1rdan
Aug 17, 2022

Replies: 1 comment 3 replies

zandbelt
Aug 17, 2022
Maintainer

c1rdan Aug 17, 2022
Author

zandbelt Aug 17, 2022
Maintainer

c1rdan Aug 17, 2022
Author