Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using PrivateKeyFiles parameter in oidc_settings causes unrecognized key error #2567

Open
uoe-pjackson opened this issue Sep 18, 2024 · 1 comment · May be fixed by #2569
Open

Using PrivateKeyFiles parameter in oidc_settings causes unrecognized key error #2567

uoe-pjackson opened this issue Sep 18, 2024 · 1 comment · May be fixed by #2569

Comments

@uoe-pjackson
Copy link

Describe the Bug

When specifying PrivateKeyFiles parameter for oidc_settings puppet fails with

Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Apache::Vhost[example.com]: parameter 'oidc_settings' unrecognized key 'PrivateKeyFiles'

It appears that PrivateKeyFiles is missing from the definition of Apache::OIDCSettings, so should be a case of just adding it.

Expected Behaviour

Successful application of the puppet catalog

Steps to Reproduce

Steps to reproduce the behaviour:

  1. Use the following vhost manifest
apache::vhost { "example.com":
    port              => 80,
    auth_oidc         => true,
    oidc_settings     => {
      'ProviderMetadataURL'       => $oidc_provider_metadata_url,
      'Scope'                     => $oidc_scope,
      'RemoteUserClaim'           => $oidc_remote_user_claim,
      'ClientID'                  => $oidc_client_id,
      'CryptoPassphrase'          => $oidc_crypto_passphrase,
      'PrivateKeyFiles'           => "/etc/pki/tls/private/${siapp_url}-selfsigned.key",
      'PublicKeyFiles'            => "/etc/pki/tls/certs/${siapp_url}-selfsigned.crt",
      'ProviderTokenEndpointAuth' => 'private_key_jwt',
      'RedirectURI'               => '/oidc/redirect',
    }
  }

Environment

  • Puppet: 7
  • Apache Forge: 12.1.0
  • Rocky Linux 8
@uoe-pjackson
Copy link
Author

uoe-pjackson commented Sep 19, 2024
edited
Loading

After further investigation there appears to be a number of other configuration parameters in the lastest mod_auth_openidc that aren't defined in Apache::OIDCSettings.

The full list is:

CABundlePath
CacheDir
ClientTokenEndpointKeyPassword
CookieDomain
CookiePath
DefaultLoggedOutURL
DPoPMode
FilterClaimsExpr
LogoutRequestParams
LogoutXFrameOptions
MemCacheConnectionsHMax
MemCacheConnectionsMin
MemCacheConnectionsSMax
MemCacheConnectionsTTL
MetricsData
MetricsPublish
OAuthIntrospectionEndpoint
OAuthIntrospectionEndpointKeyPassword
OAuthTokenIntrospectionInterval
PassAccessToken
PKCEMethod
PreservePostTemplates
PrivateKeyFiles
ProviderPushedAuthorizationRequestEndpoint
ProviderSignedJwksUri
ProviderVerifyCertFiles
RedirectURLsAllowed
RedisCacheConnectTimeout
RedisCacheDatabase
RedisCacheTimeout
RedisCacheUsername
StateCookiePrefix
StateInputHeaders
TraceParent
UnAutzAction
UserInfoClaimsExpr
UserInfoSignedResponseAlg
ValidateIssuer

I'm preparing a pull request to add these parameters.

uoe-pjackson added a commit to uoe-pjackson/puppetlabs-apache that referenced this issue Sep 20, 2024
@uoe-pjackson
Update config parameters to match latest OIDC release and fix typos. p…
4aad46e 
…uppetlabs#2567 puppetlabs#2566
@uoe-pjackson uoe-pjackson linked a pull request Sep 20, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@uoe-pjackson