Registry and the CakePHP framework use the Apache module mod_rewrite. Because of this, when using recent versions of the mod_auth_openidc Apache module for authentication you must adjust the expected name of environment variables carrying OIDC claim values so they are prefixed with REDIRECT_.

For example, by default the module writes the value of the asserted sub claim into the environment variable OIDC_CLAIM_sub. When configuring the Env Source plugin, you should instead use REDIRECT_OIDC_CLAIM_sub.

This is necessary because of a change made to the mod_auth_openidc Apache module and how its code is injected into the Apache HTTP Server call stack, resulting in a change of behavior from the earlier versions of the module. For some background see this mod_auth_openidc GitHub issue and this archived Google Groups discussion. Some additional context is available here.

  • No labels