Conditionally setting a header based on a mod_auth expression

Question

I have an apache 2.4 acting as reverse proxy for an application. I need to conditionally setup a header for the proxy based on a mod_auth expression. In particular I'm using mod_auth_openidc and I need to apply the header based on OIDC roles, but I don't know how to use this inside an If statement.

As an example, this works appropriately:

<Location "/app">
    Require claim roles:app_reader
    RequestHeader set Authorization "Basic ${READER_TOKEN}"
</Location>

However, I need to do something like this:

<Location "/app">
    <If "-n %{claim roles:app_admin}">
        RequestHeader set Authorization "Basic ${ADMIN_TOKEN}"
    </If>
    <ElseIf "-n %{claim roles:app_reader}">
        RequestHeader set Authorization "Basic ${READER_TOKEN}"
    </ElseIf>
</Location>

The latest doesn't work, as I'm not sure how to actually refer to the mod_auth expression. Notice this is most probably not specific to my plugin, if you replace claim roles:app_admin with valid-user I guess the situation is the same.

Specific to my module however, is that it is setting both Environment variables and Headers with the information I need (OIDC_CLAIM_roles). But they don't appear to be reachable on Location, neither req() nor resp() can find them.

Any suggestions on which is the proper way of doing this?

Answer 1

I found the solution thanks to the module creator

The If sections in Apache are evaluated before authentication, so this is not possible. However, mod_auth_openidc allows to do it by doing something like:

<Location "/app">
    RequestHeader set Authorization "Basic ${READER_TOKEN}" expr=reqenv('OIDC_CLAIM_roles')=~/app_reader/
    RequestHeader set Authorization "Basic ${ADMIN_TOKEN}" expr=reqenv('OIDC_CLAIM_roles')=~/app_admin/
</Location>