mod_auth_openid c и цилогон - PullRequest
Новая
       20

mod_auth_openid c и цилогон

0 голосов
/ 16 апреля 2020

Я пытаюсь заставить мой apache экземпляр аутентифицироваться против CILogon . Я пытаюсь настроить mod_auth_openid c. Тем не менее, при запуске я вижу в apache журналах: 

[Thu Apr 16 00:24:01.840071 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n
[Thu Apr 16 00:24:01.842819 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n

, но страница входа в CILogon выглядит нормально. После входа в мой выбранный провайдер идентификации на веб-странице я вижу: 

Error:

OpenID Connect Provider error: Remote user could not be set: contact the website administrator

и вижу следующие ошибки в моих apache журналах: 

[Thu Apr 16 00:25:35.576319 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n, referer: XXXX
[Thu Apr 16 00:25:35.579052 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579126 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579184 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:36.528559 2020] [auth_openidc:warn] [pid 92] [client 10.42.0.0:51080] oidc_get_remote_user: JSON object did not contain a "email" string, referer: XXXX
[Thu Apr 16 00:25:36.531493 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: XXXX
[Thu Apr 16 00:25:36.531519 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_handle_authorization_response: remote user could not be set, referer: XXXX

это мой auth_oid c .conf 

OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID  "cilogon:/client_id/XXXX"
OIDCClientSecret  "YYYY"
OIDCRedirectURI  https://ondemand-dev.mydomain.com/oidc/redirect
OIDCCryptoPassphrase  dac1440ef357ac981970
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCRemoteUserClaim email
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

установленных об / мин (centos7): 

# rpm -qa | grep -E '(http|mod_)' | sort
httpd24-1.1-19.el7.x86_64
httpd-2.4.6-90.el7.centos.x86_64
httpd24-httpd-2.4.34-15.el7.x86_64
httpd24-httpd-devel-2.4.34-15.el7.x86_64
httpd24-httpd-tools-2.4.34-15.el7.x86_64
httpd24-libcurl-7.61.1-2.el7.x86_64
httpd24-libnghttp2-1.7.1-8.el7.x86_64
httpd24-mod_auth_openidc-2.3.11-1.el7.x86_64
httpd24-mod_ldap-2.4.34-15.el7.x86_64
httpd24-mod_ssl-2.4.34-15.el7.x86_64
httpd24-runtime-1.1-19.el7.x86_64
httpd-tools-2.4.6-90.el7.centos.x86_64
http-parser-2.7.1-8.el7_7.2.x86_64
rh-nodejs6-http-parser-2.7.0-4.el7.x86_64
rh-nodejs6-http-parser-devel-2.7.0-4.el7.x86_64
rh-nodejs6-nodejs-http-signature-1.1.1-2.el7.noarch

любые указатели очень ценятся!

...