Access token endpoint call fails with mod_auth_openidc

elster · August 2, 2024, 10:56am

I get the following error messages from the Apache mod_auth_openidc module when trying to get an access token after successful authorization during the authorization code grant flow:

[Fri Aug 02 09:19:55.682417 2024] [auth_openidc:debug] [pid 46548:tid 140693632694016] src/util.c(818): [client 10.143.241.138:25147] oidc_util_http_call: url=https://mysubtenant.mycompany.auth0app.com/oauth/token, data=grant_type=authorization_code&code=D_q7y3AniNUJ81bM4aSdbCIHSwN2OjLBSMLjJvmxspbkc&redirect_uri=https%3A%2F%2Fapache-linux-qa.mytest.mycompany.cloud%2FMyTestApp%2Fredirect_uri&client_id=MyClientID&client_secret=MyClientSecret, content_type=application/x-www-form-urlencoded, basic_auth=null, bearer_token=(null), ssl_validate_server=0, timeout=60, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Fri Aug 02 09:19:55.691199 2024] [auth_openidc:error] [pid 46548:tid 140693632694016] [client 10.143.241.138:25147] oidc_util_http_call: curl_easy_perform() failed on: https://mysubtenant.mycompany.auth0app.com/oauth/token ()
[Fri Aug 02 09:19:55.691259 2024] [auth_openidc:warn] [pid 46548:tid 140693632694016] [client 10.143.241.138:25147] oidc_proto_token_endpoint_request: error when calling the token endpoint (https://mysubtenant.mycompany.auth0app.com/oauth/token)

My Apache configuration looks like this:

OIDCProviderIssuer https://mysubtenant.mycompany.auth0app.com
OIDCProviderAuthorizationEndpoint https://mysubtenant.mycompany.auth0app.com/authorize?connection=main-tenant-oidc
OIDCProviderTokenEndpoint https://mysubtenant.mycompany.auth0app.com/oauth/token
OIDCProviderUserInfoEndpoint https://mysubtenant.mycompany.auth0app.com/userinfo
OIDCProviderTokenEndpointAuth client_secret_post
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCClientID MyClientID
OIDCClientSecret MyClientSecret
OIDCCookiePath /MyTestApp/
OIDCRedirectURI https://apache-linux-qa.mytest.mycompany.cloud/MyTestApp/redirect_uri
OIDCScope "openid email profile"
OIDCCryptoPassphrase "MyPassPhrase"

<Location /MyTestApp/>
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>

When I copy the authorization code along with the other parameters from the log file into a Bruno/Postman request, then I get a valid access token.

{
  "client_id": "MyClientID",
  "client_secret": "MyClientSecret",
  "redirect_uri": "https://apache-linux-qa.mytest.mycompany.cloud/MyTestApp/redirect_uri",
  "grant_type": "authorization_code",
  "code": "i8phLCzkZ7Sy7Q_PUm1EANRo1WI1Shnn8vdg0MQQXT2LF"
}

elster · August 6, 2024, 10:03am

Found the issue. A trailing slash was missing at the OIDCProviderIssuer. Replaced the OIDCProviderIssuer config param by the OIDCProviderMetadataURL config param.

tyf · August 6, 2024, 7:23pm

Awesome, glad you were able to get this sorted and thanks for sharing the solution

system · August 20, 2024, 7:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Users can't logout with mod auth openidc Help logout , auth0 , openid , mod_auth_openidc	2	10233	August 30, 2019
Apache + mod_auth_openidc+Auth0 JWT.io apache , auth0 , mod_auth_openidc	0	3086	October 11, 2020
Trying to implement logout with apache openidc mod Help apache	1	4768	March 9, 2020
Apache + mod_auth_openidc, legacy grant types and OIDC conformance Help	3	3731	March 5, 2019
Apache OIDC not redirecting Help login-experience , login-prompt-new-experience	0	290	May 25, 2024

Access token endpoint call fails with mod_auth_openidc

Related Topics