mod_auth_openidc: how do I get claims from the provider's access token?

Question

I've missed something very basic in how mod_auth_openidc works.

I'm using Keycloak, and if I do a curl request to get a token (in other words, I log in with a username and password), then I get back a JWT. Part of the JWT payload contains:

"openid-connect" : {
  "roles": ["role-1", "role-2", ..."role-n"]
}

mod_auth_openidc is presumably doing the same request, and getting back the same JWT. However, none of this is being passed on to my app. All I can see is the session Cookie (mod_auth_openidc_session), but there are no OIDC headers or env variables.

What have I missed - how do I persuade mod_auth_openidc to send the Keycloak roles (or anything else) on to the app?

Answer 1

I figured it out. I was testing using the minimal PHP app on the wiki. In my Apache config, I was allowing unauthorised access to this test page:

  <Location /oidctest.php>
    Require all granted
  </Location>

This doesn't work; mod_auth_openidc sees that no claims are required, and doesn't supply any. If I change the require to something more realistic:

Require claim "resource_access.openid-connect.roles:role-3"

then everything springs into life: the PHP test page shows lots of claims. With require all granted, nothing was passed: not even the REMOTE_USER, so the test page just showed "Hello,", rather than "Hello, [email address]".