skip to Main Content

We have used mod auth openidc module in Apache server connected to Okta OIDC.
After login into okta -we get multiple redirects back to redirection and again back to okta.
Something similar to below issue :

As discussed in this issue.
https://github.com/zmartzone/mod_auth_openidc/issues/181

I have made sure that the redirect_uri is separate than the actual url page load url

My set up is exactly as below with a vanity redirection url which is protected 
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT 
point to any content
OIDCRedirectURI https://www.example.com/example/redirect_uri
OIDCCryptoPassphrase <password>

<Location /example/>
   AuthType openid-connect
   Require valid-user
   ProxyPass        backendangular/ 
   ProxyPassReverse backendangular/
</Location>

2

Answers


  1. Chosen as BEST ANSWER

    We had CDN in front of the Apache server. CDN was caching everything and therefore the cookie was not being set properly. CDN was respecting all headers like the nocache header params from Apache.

    Adding No cache header like below fixed the issue.

    filesMatch ".(html|htm|js|css)$">
       FileETag None
        <ifModule mod_headers.c>
        Header unset ETag
     Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
     Header set Pragma "no-cache"
     Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
      </ifModule>
      </filesMatch>
    

  2. Enable Sticky Session

    We faced similar challenge of a continuous loop redirection when had two apache backend servers with a load balancer.

    Load Balancer was configured with Round Robin and the first server did validation but the next request went to other server which again called authenticatio.

    we fixed the issue enabling Sticky Session on the load balancer

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search