0

我正在尝试让我的 apache 实例针对CILogon进行身份验证。我正在尝试配置mod_auth_openidc。但是,在启动时我在 apache 日志中看到:

[Thu Apr 16 00:24:01.840071 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n
[Thu Apr 16 00:24:01.842819 2020] [auth_openidc:error] [pid 90] [client 10.42.0.0:50494] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n

但是 CILogon 的登录页面看起来很好。登录到我选择的身份提供者后,在网页中我看到:

Error:

OpenID Connect Provider error: Remote user could not be set: contact the website administrator

我在我的 apache 日志中看到以下错误:

[Thu Apr 16 00:25:35.576319 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: error:0906D06C:PEM routines:PEM_read_bio:no start line [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm\n, referer: XXXX
[Thu Apr 16 00:25:35.579052 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579126 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:35.579184 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:694: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]\n\n, referer: XXXX
[Thu Apr 16 00:25:36.528559 2020] [auth_openidc:warn] [pid 92] [client 10.42.0.0:51080] oidc_get_remote_user: JSON object did not contain a "email" string, referer: XXXX
[Thu Apr 16 00:25:36.531493 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: XXXX
[Thu Apr 16 00:25:36.531519 2020] [auth_openidc:error] [pid 92] [client 10.42.0.0:51080] oidc_handle_authorization_response: remote user could not be set, referer: XXXX

这是我的 auth_oidc.conf

OIDCProviderMetadataURL https://cilogon.org/.well-known/openid-configuration
OIDCClientID  "cilogon:/client_id/XXXX"
OIDCClientSecret  "YYYY"
OIDCRedirectURI  https://ondemand-dev.mydomain.com/oidc/redirect
OIDCCryptoPassphrase  dac1440ef357ac981970
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCRemoteUserClaim email
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

安装的rpm(centos7):

# rpm -qa | grep -E '(http|mod_)' | sort
httpd24-1.1-19.el7.x86_64
httpd-2.4.6-90.el7.centos.x86_64
httpd24-httpd-2.4.34-15.el7.x86_64
httpd24-httpd-devel-2.4.34-15.el7.x86_64
httpd24-httpd-tools-2.4.34-15.el7.x86_64
httpd24-libcurl-7.61.1-2.el7.x86_64
httpd24-libnghttp2-1.7.1-8.el7.x86_64
httpd24-mod_auth_openidc-2.3.11-1.el7.x86_64
httpd24-mod_ldap-2.4.34-15.el7.x86_64
httpd24-mod_ssl-2.4.34-15.el7.x86_64
httpd24-runtime-1.1-19.el7.x86_64
httpd-tools-2.4.6-90.el7.centos.x86_64
http-parser-2.7.1-8.el7_7.2.x86_64
rh-nodejs6-http-parser-2.7.0-4.el7.x86_64
rh-nodejs6-http-parser-devel-2.7.0-4.el7.x86_64
rh-nodejs6-nodejs-http-signature-1.1.1-2.el7.noarch

任何指针非常感谢!

4

1 回答 1

0

您的 OpenID Connect 提供商应返回声明email以使您的设置正常工作。

于 2020-05-21T06:42:03.527 回答