How to verify Cloudflare JWT and still do OIDC login?

[studersi]

Is there a way to verify the Cloudflare JWT and still do an OIDC login?

When using the Cloudflare Zero Trust feature, Cloudflare issues a JWT to the backend, both as a Header and a Cookie: https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/#verify-the-jwt-manually.

Copy the JWT from the CF_Authorization cookie or from the Cf-Access-Jwt-Assertion request header.

The JWT from Cloudflare token can be verified with AuthType oauth2 as discussed in OpenIDC/mod_oauth2#66 or with AuthType auth-openidc as discussed in on https://github.com/OpenIDC/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect.

Using the latter (i.e. AuthType auth-openidc) can be used to allow access with either OAuth2 or OIDC, alternativey: https://stackoverflow.com/questions/61878919/how-can-i-allow-multiple-authentication-types-in-apache.

Is it also possible to restrict access by verifying the Cloudflare JWT but then perform an additional but distinct OIDC login? Can this be achieved with either AuthType auth-openidc or a combination of AuthType oauth2 and AuthType openid-connect?

Note: There is also https://httpd.apache.org/docs/trunk/mod/mod_autht_jwt.html but it does not appear to be available as a stable module yet and it also appears to be restricted to reading the JWT from the Authorization: Bearer ... header.

In our tests, the behavior was that the JWT was verified successfully and OIDC login was skipped, or, when using RequireAll for claims from both OAuth2 and OIDC, verification failed because the JWT did not contain the necessary OIDC claims.

For example, the following results in successful JWT verification but no OIDC login if a JWT is present and an OIDC login if no JWT is present:

AuthType auth-openidc
OIDCOAuthAcceptTokenAs header:cf-access-jwt-assertion cookie:CF_Authorization
<RequireAny>
    Require claim client_id:[CLIENT_ID]
    <RequireAll>
        Require claim iss:https://[ACCOUNT_NAME].cloudflareaccess.com
        Require claim aud:[AUD_CLAIM]
    </RequireAll>
</RequireAny>

The following example on the other hand results in failed JWT verification because of a missing client_id claim:

AuthType auth-openidc
OIDCOAuthAcceptTokenAs header:cf-access-jwt-assertion cookie:CF_Authorization
<RequireAll>
    Require claim client_id:[CLIENT_ID]
    <RequireAll>
        Require claim iss:https://[ACCOUNT_NAME].cloudflareaccess.com
        Require claim aud:[AUD_CLAIM]
    </RequireAll>
</RequireAll>

[zandbelt]

AuthType auth-openidc by design requires only of of the two to succeed. Your 2nd example seems the same as the 1st example?

[studersi]

The examples are actually not identical, the first one uses <RequireAny>, the second one uses <RequireAll>.

[zandbelt]

ah, I see; I guess you can do tihs with mod_oauth2 and mod_auth_openidc in two different vhosts (or servers), vhost1 and vhost2 respectively. vhost1 would trigger mod_oauth2 and then ProxyPass to vhost2 that handles OIDC

[studersi]

Yes, we thought about this as well but it felt like a bit of a workaround, so we were wondering if there is a better solution. Thank you anyway!