0

I'm utilizing mod_auth_openidc to front an API that has neither authentication nor authorization. The same endpoint also serves UI, so it has interactive and server-to-server queries hitting it. This is something the module has AuthType auth-openidc for. So the module acts as Resource Server in OAuth2.

When configuring this, I realized I accept access tokens from a password grant, so all my users have roles assigned to them and we don't really use scopes on the client ids. So, naturally, I want to restrict access to the endpoint via role like this:

<Location />
  AuthType auth-openidc
  OIDCOAuthIntrospectionEndpoint https://localhost/oauth2/introspect
  OIDCOAuthRemoteUserClaim sub
  OIDCOAuthClientID 1111
  OIDCOAuthClientSecret 2222
  Require claim roles:MYAPI_ACCESS
</Location>  

The validation endpoint is a stock RFC 7662 compliant box and the config is basically textbook example.

My twist is the Require authz. When using OAuth2 remote validation, openid-connect doesn't seem to look up the user info for the remote user, it just copies all attributes it gets from the /introspect endpoint and tries to match the Require against it.

My question is: how can I make openid-connect lookup the corresponding user info (via a call to an existing /userinfo endpoint) once it has the remote user?

Community
  • 1
  • 1
mabi
  • 5,279
  • 2
  • 43
  • 78

1 Answers1

1

You cannot make the module call the user info endpoint when acting as a OAuth 2.0 Resource Server. What you can do is map the relevant claims to the access token in your Provider.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115