Access token endpoint call fails with mod_auth_openidc

I get the following error messages from the Apache mod_auth_openidc module when trying to get an access token after successful authorization during the authorization code grant flow:

[Fri Aug 02 09:19:55.682417 2024] [auth_openidc:debug] [pid 46548:tid 140693632694016] src/util.c(818): [client 10.143.241.138:25147] oidc_util_http_call: url=https://mysubtenant.mycompany.auth0app.com/oauth/token, data=grant_type=authorization_code&code=D_q7y3AniNUJ81bM4aSdbCIHSwN2OjLBSMLjJvmxspbkc&redirect_uri=https%3A%2F%2Fapache-linux-qa.mytest.mycompany.cloud%2FMyTestApp%2Fredirect_uri&client_id=MyClientID&client_secret=MyClientSecret, content_type=application/x-www-form-urlencoded, basic_auth=null, bearer_token=(null), ssl_validate_server=0, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Fri Aug 02 09:19:55.691199 2024] [auth_openidc:error] [pid 46548:tid 140693632694016] [client 10.143.241.138:25147] oidc_util_http_call: curl_easy_perform() failed on: https://mysubtenant.mycompany.auth0app.com/oauth/token ()
[Fri Aug 02 09:19:55.691259 2024] [auth_openidc:warn] [pid 46548:tid 140693632694016] [client 10.143.241.138:25147] oidc_proto_token_endpoint_request: error when calling the token endpoint (https://mysubtenant.mycompany.auth0app.com/oauth/token)

My Apache configuration looks like this:

OIDCProviderIssuer https://mysubtenant.mycompany.auth0app.com
OIDCProviderAuthorizationEndpoint https://mysubtenant.mycompany.auth0app.com/authorize?connection=main-tenant-oidc
OIDCProviderTokenEndpoint https://mysubtenant.mycompany.auth0app.com/oauth/token
OIDCProviderUserInfoEndpoint https://mysubtenant.mycompany.auth0app.com/userinfo
OIDCProviderTokenEndpointAuth client_secret_post
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCClientID MyClientID
OIDCClientSecret MyClientSecret
OIDCCookiePath /MyTestApp/
OIDCRedirectURI https://apache-linux-qa.mytest.mycompany.cloud/MyTestApp/redirect_uri
OIDCScope "openid email profile"
OIDCCryptoPassphrase "MyPassPhrase"

<Location /MyTestApp/>
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>

When I copy the authorization code along with the other parameters from the log file into a Bruno/Postman request, then I get a valid access token.

{
  "client_id": "MyClientID",
  "client_secret": "MyClientSecret",
  "redirect_uri": "https://apache-linux-qa.mytest.mycompany.cloud/MyTestApp/redirect_uri",
  "grant_type": "authorization_code",
  "code": "i8phLCzkZ7Sy7Q_PUm1EANRo1WI1Shnn8vdg0MQQXT2LF"
}

Found the issue. A trailing slash was missing at the OIDCProviderIssuer. Replaced the OIDCProviderIssuer config param by the OIDCProviderMetadataURL config param.

Awesome, glad you were able to get this sorted and thanks for sharing the solution :slight_smile:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.