Forbidden 403 for OIDC with OIDC_ACCESS_TOKEN with AJP/JK

[CapgG-sleeke]

We have a Java application that site behind an apache proxy via mod_ajp/jk where apache completes the authentication.

We have a regular but intermittent issue where we see forbidden http 403 return to the user on the application screen, and when they click back/refresh the application screen doesn't then render properly, but it does render. The user can logout of the application and then log back in and they can continue their work without issue.

The client/browser behavior is that openidc session state cookies start to increase , and the JK log files shows as lb worker failure with "failed appending the header value for header 'OIDC_access_token' With this error the worker state then does into error with an unrecoverable 413.

The interesting thing is we only see this behavior appear where there are multiple apache servers configured. The same application without multiple apache servers we never see the issue appear.

The issue cant be re-produced at will, and the same behavior/activity in the java application wont reproduce the same issue. When the user has the issue though we can trace back their session and the errors on log files.

[zandbelt]

please see https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies#state-cookies-are-piling-up and use a version >= 2.4.11