Access token endpoint call fails with mod_auth_openidc

elster · August 2, 2024, 10:56am

I get the following error messages from the Apache mod_auth_openidc module when trying to get an access token after successful authorization during the authorization code grant flow:

[Fri Aug 02 09:19:55.682417 2024] [auth_openidc:debug] [pid 46548:tid 140693632694016] src/util.c(818): [client 10.143.241.138:25147] oidc_util_http_call: url=https://mysubtenant.mycompany.auth0app.com/oauth/token, data=grant_type=authorization_code&code=D_q7y3AniNUJ81bM4aSdbCIHSwN2OjLBSMLjJvmxspbkc&redirect_uri=https%3A%2F%2Fapache-linux-qa.mytest.mycompany.cloud%2FMyTestApp%2Fredirect_uri&client_id=MyClientID&client_secret=MyClientSecret, content_type=application/x-www-form-urlencoded, basic_auth=null, bearer_token=(null), ssl_validate_server=0, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Fri Aug 02 09:19:55.691199 2024] [auth_openidc:error] [pid 46548:tid 140693632694016] [client 10.143.241.138:25147] oidc_util_http_call: curl_easy_perform() failed on: https://mysubtenant.mycompany.auth0app.com/oauth/token ()
[Fri Aug 02 09:19:55.691259 2024] [auth_openidc:warn] [pid 46548:tid 140693632694016] [client 10.143.241.138:25147] oidc_proto_token_endpoint_request: error when calling the token endpoint (https://mysubtenant.mycompany.auth0app.com/oauth/token)

My Apache configuration looks like this:

OIDCProviderIssuer https://mysubtenant.mycompany.auth0app.com
OIDCProviderAuthorizationEndpoint https://mysubtenant.mycompany.auth0app.com/authorize?connection=main-tenant-oidc
OIDCProviderTokenEndpoint https://mysubtenant.mycompany.auth0app.com/oauth/token
OIDCProviderUserInfoEndpoint https://mysubtenant.mycompany.auth0app.com/userinfo
OIDCProviderTokenEndpointAuth client_secret_post
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCClientID MyClientID
OIDCClientSecret MyClientSecret
OIDCCookiePath /MyTestApp/
OIDCRedirectURI https://apache-linux-qa.mytest.mycompany.cloud/MyTestApp/redirect_uri
OIDCScope "openid email profile"
OIDCCryptoPassphrase "MyPassPhrase"

<Location /MyTestApp/>
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>

When I copy the authorization code along with the other parameters from the log file into a Bruno/Postman request, then I get a valid access token.

{
  "client_id": "MyClientID",
  "client_secret": "MyClientSecret",
  "redirect_uri": "https://apache-linux-qa.mytest.mycompany.cloud/MyTestApp/redirect_uri",
  "grant_type": "authorization_code",
  "code": "i8phLCzkZ7Sy7Q_PUm1EANRo1WI1Shnn8vdg0MQQXT2LF"
}

elster · August 6, 2024, 10:03am

Found the issue. A trailing slash was missing at the OIDCProviderIssuer. Replaced the OIDCProviderIssuer config param by the OIDCProviderMetadataURL config param.

tyf · August 6, 2024, 7:23pm

Awesome, glad you were able to get this sorted and thanks for sharing the solution

system · August 20, 2024, 7:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Stuck in OIDC implicit flow Help connections , oidc-enterprise-connection	3	1367	December 2, 2022
Configure OIDC connection for Single-Page-Application Help connections , oidc-enterprise-connection	0	26	September 16, 2024
Server_error When Requesting Access Token in Client Credentials Flow Help management-api , grants	2	19	October 2, 2024
Reducing occurrences of "Password login via OIDC-conformant clients" error Help oidc-conformant , hosted-login-page	5	6447	September 4, 2019
(still issues with) 401/Unauthorized when obtaining token in Authorization Code grant Help login-experience , new-universal-login-experience	3	1372	September 28, 2024

Access token endpoint call fails with mod_auth_openidc

Related Topics