Inconsistent mod_auth_openidc behavior: 401 without redirect after session idle

[phoecouscousfa]

We're encountering an issue with users receiving a 401 without being redirected to the login screen of the identity provider when they have previously been logged in and then try to access the service again after a period of inactivity.

Apache Configuration:

Here's a relevant section of our Apache configuration using mod_auth_openidc:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RedirectMatch ^/?$ /myapp

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always append X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "default-src 'self'; frame-src 'self' myidp.de; font-src 'self' 'unsafe-inline' myidp.de; img-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' myidp.de; style-src 'self' 'unsafe-inline' myidp.de; connect-src 'self' 'unsafe-inline';"
Header always set X-XSS-Protection "1; mode=block"
TraceEnable Off

<IfModule auth_openidc_module>
    OIDCRefreshAccessTokenBeforeExpiry 240 logout_on_error
    OIDCProviderMetadataURL https://myidp.de/auth/realms/realmx/.well-known/openid-configuration
    OIDCClientID myapp 
    OIDCClientSecret foo
    OIDCRedirectURI /myscripts/redirect_uri
    OIDCCryptoPassphrase bar
    OIDCUnAuthAction auth
</IfModule>

Alias /myapp "/opt/myapp/www/htdocs"
<Directory /opt/myapp/www/htdocs>
    Options -Indexes -FollowSymLinks
    AuthType openid-connect
    Require valid-user
    Header set AccessToken "%{HTTP_OIDC_ACCESS_TOKEN}e"
</Directory>

ScriptAlias /myscripts "/opt/myapp/www/cgi-bin"
<Directory /opt/myapp/www/cgi-bin>
    Options +ExecCGI -FollowSymLinks
    AuthType openid-connect
    Require valid-user
    Header set AccessToken "%{HTTP_OIDC_ACCESS_TOKEN}e"
</Directory>

Expected Behavior:

According to the mod_auth_openidc documentation, any unauthenticated request should be redirected to the identity provider for login.

Observed Behavior:

While authentication works perfectly upon initial login, there's inconsistent behavior after a session is idle for some time:

• Sometimes, on subsequent requests, a 401 response is received without a redirect to the identity provider login screen.
• If the browser is in this state where the 401 without redirect response occurs it occurs every time I open my webservice in a new tab or click on a link leading to my webmice from another website or program.
• Interestingly, eventhough the issue persists when opening more tabs or links, a manual refresh in any of the browsers tabs always resolves the issue, either by redirecting to the login screen or automatically logging the user in.

Troubleshooting Steps:

• We added the OIDCRefreshAccessTokenBeforeExpiry 240 logout_on_error directive (our access token expires in 300)
• We explicitely set OIDCUnAuthAction to auth
• searched logs and docs for the exact cause. The logs show that the mod_auth_openidc_session cookie is null. However I would still think that an invalid session cookie should cause mod_auth_openidc to redirect the user to the identity provider.

Request Logs:

We've included relevant debug logs from Apache for a request that resulted in a 401 without a redirect:
[Wed Mar 06 09:47:16.387442 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/mod_auth_openidc.c(3944): [client 172.22.252.116:51872] oidc_check_user_id: incoming request: "/myscripts/wm-portal/user_mg_requests?(null)", ap_is_initial_req(r)=1, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387453 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(2539): [client 172.22.252.116:51872] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387460 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(2539): [client 172.22.252.116:51872] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387466 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(663): [client 172.22.252.116:51872] oidc_get_redirect_uri: determined absolute redirect uri: https://myserver.net/myscripts/redirect_uri, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387473 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(1244): [client 172.22.252.116:51872] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387485 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(2539): [client 172.22.252.116:51872] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387650 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(2539): [client 172.22.252.116:51872] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387654 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(663): [client 172.22.252.116:51872] oidc_get_redirect_uri: determined absolute redirect uri: https://myserver.net/myscripts/redirect_uri, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387660 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(1406): [client 172.22.252.116:51872] oidc_util_request_matches_url: comparing "/myscripts/wm-portal/user_mg_requests"=="/myscripts/redirect_uri", referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387665 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(2539): [client 172.22.252.116:51872] oidc_util_hdr_in_get: X-Requested-With=XMLHttpRequest, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.387669 2024] [auth_openidc:debug] [pid 1289626:tid 139967097194240] src/util.c(2539): [client 172.22.252.116:51872] oidc_util_hdr_in_get: X-Requested-With=XMLHttpRequest, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533241 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/mod_auth_openidc.c(3944): [client 172.22.252.116:51884] oidc_check_user_id: incoming request: "/myscripts/wm-portal/user_mg_requests?(null)", ap_is_initial_req(r)=1, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533269 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(2539): [client 172.22.252.116:51884] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533273 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(2539): [client 172.22.252.116:51884] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533279 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(663): [client 172.22.252.116:51884] oidc_get_redirect_uri: determined absolute redirect uri: https://myserver.net/myscripts/redirect_uri, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533286 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(1244): [client 172.22.252.116:51884] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533301 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(2539): [client 172.22.252.116:51884] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533476 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(2539): [client 172.22.252.116:51884] oidc_util_hdr_in_get: Host=myserver.net, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533492 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(663): [client 172.22.252.116:51884] oidc_get_redirect_uri: determined absolute redirect uri: https://myserver.net/myscripts/redirect_uri, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533510 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(1406): [client 172.22.252.116:51884] oidc_util_request_matches_url: comparing "/myscripts/wm-portal/user_mg_requests"=="/myscripts/redirect_uri", referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533518 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(2539): [client 172.22.252.116:51884] oidc_util_hdr_in_get: X-Requested-With=XMLHttpRequest, referer: https://myserver.net/myapp/
[Wed Mar 06 09:47:16.533529 2024] [auth_openidc:debug] [pid 1288482:tid 139966986307328] src/util.c(2539): [client 172.22.252.116:51884] oidc_util_hdr_in_get: X-Requested-With=XMLHttpRequest, referer: https://myserver.net/myapp/

Any insights or suggestions to diagnose and resolve this issue would be greatly appreciated, thank you in advance!

[zandbelt]

iframes or XHR request will not (and should not) be redirected, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#single-page-applications

[phoecouscousfa]

Ahhh, thank you for the quick response. We'll try to refresh the parent window then.