Bug#1009725: libapache2-mod-auth-openidc: Regression related to handling of redirects

Fri, 15 Apr 2022 06:54:17 -0700 

Package: libapache2-mod-auth-openidc
Version: 2.4.9-1
Severity: normal

Dear Maintainer,

While using libapache2-mod-auth-openidc (version 2.4.9-1) from bullseye with 
following configuration:

OIDCMetadataDir /var/www/apache/metadata
OIDCDiscoverURL /oidc/select_authentication_provider.php

<Location />
        AuthType openid-connect
        Require claim groups:xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
</Location>

<Location /oidc>
        OIDCUnAuthAction pass
</Location>


Response is 401 Unauthorized, no redirection is made to 
/oidc/select_authentication_provider.php. Even built-in login page is not 
working after disabling OIDCDiscoverURL.
This is a known regression in the upstream project introduced in 2.4.9-1 
https://github.com/zmartzone/mod_auth_openidc/commit/ac5686495a51bc93e257e42bfdc9c9c46252feb1
 
and fixed in 2.4.9.4-1 
https://github.com/zmartzone/mod_auth_openidc/commit/d6a9361a46753f631b5e683a7e293a950da1e211.

Discussion: 
https://github.com/zmartzone/mod_auth_openidc/discussions/746#discussioncomment-1717573

After installing version 2.4.9.4-1 from github 
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9.4 or later, 
issue is fixed. 
Would it be possible to backport this change to package available in bullsyeye?

Thanks a lot.

Greetings,
Kamil

-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-13-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libapache2-mod-auth-openidc depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.53-1~deb11u1
ii  libc6                               2.31-13+deb11u3
ii  libcjose0                           0.6.1+dfsg1-1
ii  libcurl4                            7.74.0-1.3+deb11u1
ii  libhiredis0.14                      0.14.1-1
ii  libjansson4                         2.13.1-1.1
ii  libpcre3                            2:8.39-13
ii  libssl1.1                           1.1.1n-0+deb11u1

libapache2-mod-auth-openidc recommends no packages.

libapache2-mod-auth-openidc suggests no packages.

-- no debconf information

Reply via email to