mod_auth_openidc 过期或重定向 401 的 http
expire or redirect http of 401 for mod_auth_openidc
我不确定这是否是在 OIDC 或 apache 中处理的,但我看到的是这个,希望得到一些建议:
一位客户登录了多个 Google 帐户,他们在帐户选择器中单击了错误的帐户,他们收到了 401 未经授权
然后他们尝试返回 OIDC 服务器并继续获得未授权。即使他们清除 cookie 等也是如此。
我能让他们重新登录的唯一可靠方法是他们在 safari 中打开私人 window 或在 Chrome 中打开另一个个性。
有没有办法让 401 重定向到 Google 帐户选择器,然后让 apache 重试?基本上,一旦他们从 apache 获得 401 - 通过 openidc - 就没有再重新授权的好方法。有什么方法可以让人们更轻松地重试登录吗?
提前致谢。我的配置如下:
<VirtualHost _default_:443>
ServerName nameofserver.com
ServerAdmin ops@nameofserver.com
DocumentRoot /var/www/html
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
SetEnvIf Origin "^(.*\.nameofserver\.co,)$" ORIGIN_SUB_DOMAIN=
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header always set Access-Control-Allow-Credentials "true"
ErrorDocument 503 "A custom error message"
RequestHeader set X-Forwarded-Proto "https" early
LimitRequestFieldSize 65000
SSLEngine on
SSLCertificateFile /etc/apache2/pathtoprivcert
SSLCertificateKeyFile /etc/apache2/ssl/pathtoprivkey
SSLProtocol TLSv1.1 TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID clientIDfromGoogle@google.com
OIDCClientSecret Averysecrtkey
OIDCScope "openid email profile"
OIDCRedirectURI https://www.nameofserver.com/oauth2callback
OIDCCryptoPassphrase Alsoverysecurekey
OIDCSessionInactivityTimeout 86400
OIDCCookiePath /
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
LogLevel info
<Proxy balancer://http-nameofserver>
BalancerMember http://www1.nameofserver.com route=0
BalancerMember http://www2.nameofserver.com route=1
BalancerMember http://www3.nameofserver.com route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
ProxySet failonstatus=503
ProxySet maxattempts=2
</Proxy>
<Proxy balancer://ws-nameofserver>
BalancerMember ws://www1.nameofserver.com route=0
BalancerMember ws://www2.nameofserver.com route=1
BalancerMember ws://www3.nameofserver.com route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
ProxySet failonstatus=503
ProxySet maxattempts=2
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) balancer://ws-nameofserver/ [P,L]
ProxyPreserveHost on
ProxyPass / balancer://http-nameofserver/
ProxyPassReverse / balancer://http-nameofserver/
ProxyPass /socket.io/ balancer://ws-nameofserver/socket.io/
ProxyPassReverse /socket.io/ balancer://ws-nameofserver/socket.io/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Location />
AuthType openid-connect
Require host somealloweddomain.com
Require claim hd:corpsite.com
Require claim hd:someotherdomain.com
Require claim hd:yetanothercompany.com
</Location>
<LocationMatch "^(?!/t/|/an-url|/another-url|/lasturl)/[^/]+">
OIDCUnAuthAction 401
</LocationMatch>
</VirtualHost>
您可以在身份验证请求中添加自定义参数 prompt=select_account,如下所述:
https://github.com/pingidentity/mod_auth_openidc/wiki#13-how-can-i-add-custom-parameters-to-the-authorization-request
所以在你的情况下添加:
OIDCAuthRequestParams prompt=select_account
我不确定这是否是在 OIDC 或 apache 中处理的,但我看到的是这个,希望得到一些建议:
一位客户登录了多个 Google 帐户,他们在帐户选择器中单击了错误的帐户,他们收到了 401 未经授权
然后他们尝试返回 OIDC 服务器并继续获得未授权。即使他们清除 cookie 等也是如此。
我能让他们重新登录的唯一可靠方法是他们在 safari 中打开私人 window 或在 Chrome 中打开另一个个性。
有没有办法让 401 重定向到 Google 帐户选择器,然后让 apache 重试?基本上,一旦他们从 apache 获得 401 - 通过 openidc - 就没有再重新授权的好方法。有什么方法可以让人们更轻松地重试登录吗?
提前致谢。我的配置如下:
<VirtualHost _default_:443>
ServerName nameofserver.com
ServerAdmin ops@nameofserver.com
DocumentRoot /var/www/html
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
SetEnvIf Origin "^(.*\.nameofserver\.co,)$" ORIGIN_SUB_DOMAIN=
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header always set Access-Control-Allow-Credentials "true"
ErrorDocument 503 "A custom error message"
RequestHeader set X-Forwarded-Proto "https" early
LimitRequestFieldSize 65000
SSLEngine on
SSLCertificateFile /etc/apache2/pathtoprivcert
SSLCertificateKeyFile /etc/apache2/ssl/pathtoprivkey
SSLProtocol TLSv1.1 TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID clientIDfromGoogle@google.com
OIDCClientSecret Averysecrtkey
OIDCScope "openid email profile"
OIDCRedirectURI https://www.nameofserver.com/oauth2callback
OIDCCryptoPassphrase Alsoverysecurekey
OIDCSessionInactivityTimeout 86400
OIDCCookiePath /
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
LogLevel info
<Proxy balancer://http-nameofserver>
BalancerMember http://www1.nameofserver.com route=0
BalancerMember http://www2.nameofserver.com route=1
BalancerMember http://www3.nameofserver.com route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
ProxySet failonstatus=503
ProxySet maxattempts=2
</Proxy>
<Proxy balancer://ws-nameofserver>
BalancerMember ws://www1.nameofserver.com route=0
BalancerMember ws://www2.nameofserver.com route=1
BalancerMember ws://www3.nameofserver.com route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
ProxySet failonstatus=503
ProxySet maxattempts=2
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) balancer://ws-nameofserver/ [P,L]
ProxyPreserveHost on
ProxyPass / balancer://http-nameofserver/
ProxyPassReverse / balancer://http-nameofserver/
ProxyPass /socket.io/ balancer://ws-nameofserver/socket.io/
ProxyPassReverse /socket.io/ balancer://ws-nameofserver/socket.io/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Location />
AuthType openid-connect
Require host somealloweddomain.com
Require claim hd:corpsite.com
Require claim hd:someotherdomain.com
Require claim hd:yetanothercompany.com
</Location>
<LocationMatch "^(?!/t/|/an-url|/another-url|/lasturl)/[^/]+">
OIDCUnAuthAction 401
</LocationMatch>
</VirtualHost>
您可以在身份验证请求中添加自定义参数 prompt=select_account,如下所述:
https://github.com/pingidentity/mod_auth_openidc/wiki#13-how-can-i-add-custom-parameters-to-the-authorization-request
所以在你的情况下添加:
OIDCAuthRequestParams prompt=select_account