Replies: 1 comment 2 replies
-
|
basically RequestHeader set REMOTE_USER "%{OAUTH2_CLAIM_sub}e" env=OAUTH2_CLAIM_sub
RequestHeader set REMOTE_USER "%{OAUTH2_CLAIM_email}e" env=!OAUTH2_CLAIM_subbe aware that this kind of applies namespaces of the two providers on top of each other (i.e. the same |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for sharing this solution 👍 To avoid the following errors: I had to set the remote_user_claim option to a claim that is present in both tokens—for example, "iss". After that, I applied your suggestion to override the REMOTE_USER header. It might be helpful if the module allowed us to disable the remote_user_claim option entirely in such cases, to avoid triggering these errors. That said, my use case might be a bit of an edge case. |
Beta Was this translation helpful? Give feedback.
-
|
I believe it is an edge case indeed: having |
Beta Was this translation helpful? Give feedback.
-
I'm currently using the following directive to define the claim used for remote_user:
OAuth2TargetPass remote_user_claim=subIn my Apache configuration, I use multiple OAuth2TokenVerify directives to accept both opaque and JWT tokens from two different providers. This flexibility is very useful and something I couldn't achieve with mod_auth_openidc.
However, I'm facing an issue: I can only specify a single claim for remote_user_claim. This becomes problematic because the claim containing the desired user identifier differs between providers—for example, one uses sub, while the other uses email.
Ideally, I would like to specify multiple fallback claims, something like:
OAuth2TargetPass remote_user_claim=sub,emailWhere the first available claim with a value would be used as remote_user. Unfortunately, this doesn't seem to be supported.
If anyone has a workaround or a way to implement this behavior with mod_auth2, I’d really appreciate your input!
Beta Was this translation helpful? Give feedback.
All reactions