apache - mod_auth_openidc 和 cilogon
问题描述
我正在尝试让我的 apache 实例针对CILogon进行身份验证。我正在尝试配置mod_auth_openidc。但是,在启动时我在 apache 日志中看到:
[Thu Apr 16 00:24:01.840071 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n
[Thu Apr 16 00:24:01.842819 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n
但是 CILogon 的登录页面看起来很好。登录到我选择的身份提供者后,在网页中我看到:
Error:
OpenID Connect Provider error: Remote user could not be set: contact the website administrator
我在我的 apache 日志中看到以下错误:
[Thu Apr 16 00:25:35.576319 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n, referer: XXXX
[Thu Apr 16 00:25:35.579052 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579126 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579184 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:36.528559 2020] [auth_openidc:warn] [pid 92] [client 10.42.0.0:51080] oidc_get_remote_user: JSON object did not contain a "email" string, referer: XXXX
[Thu Apr 16 00:25:36.531493 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: XXXX
[Thu Apr 16 00:25:36.531519 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_handle_authorization_response: remote user could not be set, referer: XXXX
这是我的 auth_oidc.conf
OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID "cilogon:/client_id/XXXX"
OIDCClientSecret "YYYY"
OIDCRedirectURI https://ondemand-dev.mydomain.com/oidc/redirect
OIDCCryptoPassphrase dac1440ef357ac981970
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCRemoteUserClaim email
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
安装的rpm(centos7):
# rpm -qa | grep -E '(http|mod_)' | sort
httpd24-1.1-19.el7.x86_64
httpd-2.4.6-90.el7.centos.x86_64
httpd24-httpd-2.4.34-15.el7.x86_64
httpd24-httpd-devel-2.4.34-15.el7.x86_64
httpd24-httpd-tools-2.4.34-15.el7.x86_64
httpd24-libcurl-7.61.1-2.el7.x86_64
httpd24-libnghttp2-1.7.1-8.el7.x86_64
httpd24-mod_auth_openidc-2.3.11-1.el7.x86_64
httpd24-mod_ldap-2.4.34-15.el7.x86_64
httpd24-mod_ssl-2.4.34-15.el7.x86_64
httpd24-runtime-1.1-19.el7.x86_64
httpd-tools-2.4.6-90.el7.centos.x86_64
http-parser-2.7.1-8.el7_7.2.x86_64
rh-nodejs6-http-parser-2.7.0-4.el7.x86_64
rh-nodejs6-http-parser-devel-2.7.0-4.el7.x86_64
rh-nodejs6-nodejs-http-signature-1.1.1-2.el7.noarch
任何指针非常感谢!
解决方案
您的 OpenID Connect 提供商应返回声明email以使您的设置正常工作。
推荐阅读
- yugabyte-db - 如何在 yugabyte db 中创建具有密码的用户、删除角色和拥有所有权的数据库?
- c - 从不兼容的指针类型警告初始化
- batch-file - 如果该文件夹包含超过 100 个文件,如何仅移动文件夹中的第一个文件?
- javascript - 将 js 变量发布到未以任何方法运行的 PHP
- regex - 查找该行的前 4 个字符应该是“ORA-”,接下来的 5 个字符应该是 Unix 命令/脚本中的数字
- java - 为什么要再次将数组转换为列表到数组
- css - 根据值设置材质 ui 表格单元格
- python-3.x - 如何始终使用 python 下载最新版本的 phpmyadmin?
- python - Odoo:动态设置未存储的字段
- pandas - 使用 pandas 合并基于两个条件合并两列