OpenID - Authentication - Bad Request

[GVijayAnand]

Dear All,

We have integrated our application authentication with mod_auth_openidc 2.4.12.1 module running on Windows 2019.

Highlevel Flow: Azure AppGateway -> Apache Servers (authentication Module) -> Authentication Services -> Azure AppGateway -> Apache Server -> Application Service.

After pingID authentication, Bad Request is reported in the browser.

Below is the snapshot from Apache error logs:

[Thu Feb 02 11:52:24.698616 2023] [auth_openidc:error] [pid 4104:tid 1432] [client 172.16.0.69:48008] oidc_restore_proto_state: calculated state from cookie does not match state parameter passed back in URL: "Hs8kqVGzlfYSOBFUF69alg781_Q" != "auZcV6g7LbOxWz-xquyZcOTYGcs", referer: https://authenticator.pingone.eu/
[Thu Feb 02 11:52:24.698616 2023] [auth_openidc:error] [pid 4104:tid 1432] [client 172.16.0.69:48008] oidc_authorization_response_match_state: unable to restore state, referer: https://authenticator.pingone.eu/
[Thu Feb 02 11:52:24.698616 2023] [auth_openidc:error] [pid 4104:tid 1432] [client 172.16.0.69:48008] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error..., referer: https://authenticator.pingone.eu/
[Thu Feb 02 11:52:24.698616 2023] [ssl:debug] [pid 4104:tid 1432] ssl_engine_io.c(1147): [client 172.16.0.69:48008] AH02001: Connection closed to child 56 with standard shutdown (server <>:443)

Could you please suggest how we can resolve the reported problem ?

Regards,
G.Vijay Anand

[zandbelt]

most probably your proxy layer in front of mod_auth_openidc should set X-Forwarded-For header correctly, or alternatively can can configure OIDCStateInputHeaders user-agent , see https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L970-L973