я пытаюсь заставить свой экземпляр apache пройти аутентификацию в CILogon. я пытаюсь настроить mod_auth_openidc. Однако при запуске я вижу в журналах apache:
[Thu Apr 16 00:24:01.840071 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n
[Thu Apr 16 00:24:01.842819 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n
но страница входа из CILogon выглядит нормально. При входе в выбранный мной поставщик удостоверений на веб-странице я вижу:
Error:
OpenID Connect Provider error: Remote user could not be set: contact the website administrator
и я вижу следующие ошибки в моих журналах apache:
[Thu Apr 16 00:25:35.576319 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n, referer: XXXX
[Thu Apr 16 00:25:35.579052 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579126 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579184 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:36.528559 2020] [auth_openidc:warn] [pid 92] [client 10.42.0.0:51080] oidc_get_remote_user: JSON object did not contain a "email" string, referer: XXXX
[Thu Apr 16 00:25:36.531493 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: XXXX
[Thu Apr 16 00:25:36.531519 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_handle_authorization_response: remote user could not be set, referer: XXXX
это мой auth_oidc.conf
OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID "cilogon:/client_id/XXXX"
OIDCClientSecret "YYYY"
OIDCRedirectURI https://ondemand-dev.mydomain.com/oidc/redirect
OIDCCryptoPassphrase dac1440ef357ac981970
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCRemoteUserClaim email
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
установленные обороты (centos7):
# rpm -qa | grep -E '(http|mod_)' | sort
httpd24-1.1-19.el7.x86_64
httpd-2.4.6-90.el7.centos.x86_64
httpd24-httpd-2.4.34-15.el7.x86_64
httpd24-httpd-devel-2.4.34-15.el7.x86_64
httpd24-httpd-tools-2.4.34-15.el7.x86_64
httpd24-libcurl-7.61.1-2.el7.x86_64
httpd24-libnghttp2-1.7.1-8.el7.x86_64
httpd24-mod_auth_openidc-2.3.11-1.el7.x86_64
httpd24-mod_ldap-2.4.34-15.el7.x86_64
httpd24-mod_ssl-2.4.34-15.el7.x86_64
httpd24-runtime-1.1-19.el7.x86_64
httpd-tools-2.4.6-90.el7.centos.x86_64
http-parser-2.7.1-8.el7_7.2.x86_64
rh-nodejs6-http-parser-2.7.0-4.el7.x86_64
rh-nodejs6-http-parser-devel-2.7.0-4.el7.x86_64
rh-nodejs6-nodejs-http-signature-1.1.1-2.el7.noarch
любые указатели очень ценятся!
