mod_auth_openidc y cilogon

0

Estoy tratando de que mi instancia de Apache se autentique contra CILogon . Estoy intentando configurar mod_auth_openidc . Sin embargo, al inicio veo en los registros de Apache:

[Thu Apr 16 00:24:01.840071 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n
[Thu Apr 16 00:24:01.842819 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n

pero la página de inicio de sesión de CILogon parece estar bien. Al iniciar sesión en mi proveedor de identidad elegido, en la página web veo:

Error:

OpenID Connect Provider error: Remote user could not be set: contact the website administrator

y veo los siguientes errores en mis registros de apache:

[Thu Apr 16 00:25:35.576319 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n, referer: XXXX
[Thu Apr 16 00:25:35.579052 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579126 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579184 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:36.528559 2020] [auth_openidc:warn] [pid 92] [client 10.42.0.0:51080] oidc_get_remote_user: JSON object did not contain a "email" string, referer: XXXX
[Thu Apr 16 00:25:36.531493 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: XXXX
[Thu Apr 16 00:25:36.531519 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_handle_authorization_response: remote user could not be set, referer: XXXX

este es mi auth_oidc.conf

OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID  "cilogon:/client_id/XXXX"
OIDCClientSecret  "YYYY"
OIDCRedirectURI  https://ondemand-dev.mydomain.com/oidc/redirect
OIDCCryptoPassphrase  dac1440ef357ac981970
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCRemoteUserClaim email
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

rpms instalados (centos7):

# rpm -qa | grep -E '(http|mod_)' | sort
httpd24-1.1-19.el7.x86_64
httpd-2.4.6-90.el7.centos.x86_64
httpd24-httpd-2.4.34-15.el7.x86_64
httpd24-httpd-devel-2.4.34-15.el7.x86_64
httpd24-httpd-tools-2.4.34-15.el7.x86_64
httpd24-libcurl-7.61.1-2.el7.x86_64
httpd24-libnghttp2-1.7.1-8.el7.x86_64
httpd24-mod_auth_openidc-2.3.11-1.el7.x86_64
httpd24-mod_ldap-2.4.34-15.el7.x86_64
httpd24-mod_ssl-2.4.34-15.el7.x86_64
httpd24-runtime-1.1-19.el7.x86_64
httpd-tools-2.4.6-90.el7.centos.x86_64
http-parser-2.7.1-8.el7_7.2.x86_64
rh-nodejs6-http-parser-2.7.0-4.el7.x86_64
rh-nodejs6-http-parser-devel-2.7.0-4.el7.x86_64
rh-nodejs6-nodejs-http-signature-1.1.1-2.el7.noarch

cualquier puntero muy apreciado!

0

Su proveedor de OpenID Connect debe devolver el reclamo emailpara que su configuración funcione.