User not authenticated after Debian 13 Trixie upgrade

[cjs59]

I had a Debian 12 Bookworm server which used mod_auth_openidc to authenticate users against Entra ID, and a group file to restrict access to a few users.

I upgraded to Debian 13 Trixie and now the browser gets an immediate 401 Unauthorized error - it never redirects to Entra ID. This happens whether I've got an existing Entra ID session, or if I'm in a new private browser window.

It didn't work with the Require group changed to Require user. However, it did work correctly with Require valid-user, showing the correct username in access.log.

The auth-related configuration from /etc/apache2/sites-enabled/hostname.mydomain-ssl.conf is:

<VirtualHost _default_:443>
    <Location />
        AuthType openid-connect
        Require valid-user
        #Require user me@mydomain
        #AuthGroupFile /etc/apache2/htgroup
        #Require group admin
    </Location>
</VirtualHost>

All of the configuration in /etc/apache2/conf-enabled/auth_openidc.conf is:

OIDCRedirectURI "/.oidc/redirect"
OIDCCryptoPassphrase "..."
OIDCProviderMetadataURL "https://sts.windows.net/.../.well-known/openid-configuration"
OIDCScope "openid email profile"
OIDCAuthRequestParams "domain_hint=mydomain"
OIDCProviderAuthRequestMethod POST
OIDCClientID "..."
OIDCClientSecret "..."
OIDCStateMaxNumberOfCookies 5 true
OIDCSessionInactivityTimeout 14400
OIDCRemoteUserClaim upn
OIDCXForwardedHeaders none

Apache is 2.4.66-1~deb13u1, and libapache2-mod-auth-openidc was 2.4.17-1 from Debian and then upgraded to libapache2-mod-auth-openidc_2.4.19.1-1.trixie_amd64.deb from this repository.

I've attached the 2.4.19.1 debug log for the valid-user option - I closed the browser after it was redirected to Entra ID.

The debug log for the user option is identical (except for ephemeral data like port numbers, cookie IDs, etc) up to the oidc_proto_request_auth: return: 0 line, then it terminates with authz_core:error AH01631: user : authorization failure for "/":

I tried the following, but still got 401 Unauthorized rather than the login page:

• Requiring both valid-user and a specific user:

<RequireAll>
    Require valid-user
    Require user me@mydomain
</RequireAll>

• Adding Require valid-user for the RedirectURI:

<Location /.oidc/redirect>
    Require valid-user
</Location>

• Removing the gunicorn proxy configuration so it's just serving static pages from /var/www/html.

I've not found any other discussions with this exact problem - the nearest had the same symptoms but with Require claim, and were fixed in 2.4.17.2.

Can you suggest what's causing this problem, or anything else can I do to debug it?

[zandbelt]

I suspect a regression with OIDCProviderAuthRequestMethod POST, can you try removing this primitive for test purposes?

[cjs59]

Thank you, it works correctly with OIDCProviderAuthRequestMethod GET.

[zandbelt]

thanks for confirming: we'll reproduce and fix it asap. for a later 2.4.19.2 release

[zandbelt]

It turns out that the issue is more fundamental: because of the changed approach to requests that generate HTML content the "Require user" is not compatible anymore; fixing it is possibly but basically requires copying the code from mod_authz_user into mod_auth_openidc which does not seem very elegant. For now we'll just list "Require user" to be incompatible with OIDCProviderAuthRequestMethod POST in https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations

[zandbelt]

see here https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations#authorization-with-require-user-using-oidcproviderauthrequestmethod-post also for the advised workaround.