Can mod_sts be used as a fallback for mod_auth_openidc

[drpuur]

I'd like to use Access Tokens from mod_sts in case there is no mod_auth_openidc access token available (user not logged in). Is that possible?

I tried many things but was not successful so far.

What works is to use the mod_auth_openidc_session cookie as a selector for unauthicated versus authenticated requests, but this is not good enough as it does not prove a user is logged in.

I also tried the following (which resulted that it always used the token from mod_sts):

<Proxy balancer://stsfallback/>
        BalancerMember https://backend.example.com/ route=stsfallback
 
        AuthType openid-connect
        Require valid-user
        OIDCUnAuthAction pass
 
        <If "-z %{REMOTE_USER}">
            SetEnv FallbackTokenRequest 1
            STSAcceptSourceTokenIn environment name=FallbackTokenRequest
            STSPassTargetTokenIn header
            STSExchange cc https://as.example.com/OAuth/token auth=client_secret_basic&client_id=xxxxxxx&client_secret=yyyyyyy
        </If>
 
        # Send the access token in a Authorization: Bearer Header to the API gateway"
        RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
 
        Header  set     Server  "Apache (proxied)"
    </Proxy>

I also tried unsuccessfully with the Target Token in an environment with:

...
        STSPassTargetTokenIn environment MOD_STS_TARGET_TOKEN
...
        <If "-n %{ENV:REMOTE_USER}">
            # authenticated behavior
            RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
        </If>
 
        <If "-z %{ENV:REMOTE_USER}">
            # unauthenticated behavior
            RequestHeader set Authorization "Bearer %{MOD_STS_TARGET_TOKEN}e" env=MOD_STS_TARGET_TOKEN
        </If>  
 ...

[drpuur]

Did another test with following configuration, also not successful (always sending access token from mod_sts to backend):

<Proxy balancer://stsfallback/>
    BalancerMember https://backend.example.com/ route=stsfallback
 
    # Optional OIDC authentication
    AuthType openid-connect
    OIDCUnAuthAction pass
    Require valid-user
 
    # Clear any existing Authorization header
    RequestHeader unset Authorization
 
    # Pass-through user token if present
    RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
 
    # Client Credentials fallback
    <If "! -n %{ENV:OIDC_access_token}">
        SetEnv STS_CC_TRIGGER cc:backend-service
        STSAcceptSourceTokenIn environment name=STS_CC_TRIGGER
        STSExchange cc https://as.example.com/oauth/token \
            auth=client_secret_basic&client_id=XXXX&client_secret=YYYY
        STSPassTargetTokenIn header
    </If>
</Proxy>

[drpuur]

After lots of trial-and-error I am at wit's end :-(

I also asked KI (ChatGPT) about it and I hope this answer is not true...

Final, honest conclusion
You’ve basically discovered a real limitation of mod_sts:
mod_sts is not designed for conditional fallback based on authentication state.
Once it’s active, it owns the outbound token.
Your intuition was right, your debugging was right, and your observation matches how Apache actually executes.

[zandbelt]

where would the access token come from if the user is not logged in through mod_auth_openidc?

[drpuur]

From a Client Credentials Flow initated on the Reverse Proxy by mod_sts, see

STSExchange cc https://as.example.com/OAuth/token auth=client_secret_basic&client_id=xxxxxxx&client_secret=yyyyyyy

[zandbelt]

that seems overkill, why not use basic authentication (or even client certificate authentication) directly towards the origin server?

[drpuur]

We are calling an API Gateway that requires access tokens. For more details I would suggest a private conversation (Hint: I am working in the same team as Simon Studer).

[zandbelt]

the <If > would not apply since it is evaluated to soon, before authentication processing happens; you should be able to use OIDCUnAuthAction pass indeed, then someting like:

SetEnvIf STS_CC_TRIGGER true !OIDC_CLAIM_sub
STSAcceptSourceTokenIn environment name=STS_CC_TRIGGER
STSExchange cc https://as.example.com/oauth/token auth=client_secret_basic&client_id=XXXX&client_secret=YYYY&on_error=pass
STSPassTargetTokenIn header

i.e. without <If> statements; notice the on_error=pass that handles the case where there is a remote user set by mod_auth_openidc so the STS exchange should fail

[drpuur]

Should the env variable used in STSAcceptSourceTokenIn not exist? I get a 401 backend error (unauthenticated) with following loglines:

sts_request_handler: enter
_oauth2_get_source_token_from_envvar: enter
oauth2_apache_get_envvar: get environment variable: OIDC_CLAIM_sub
_oauth2_get_source_token_from_envvar: no source token found in OIDC_CLAIM_sub environment variable
oauth2_get_source_token: no source token found in any of the configured methods: 1
sts_request_handler: leave: 0
sts_check_access_handler: leave: 0

[zandbelt]

ouch, you're right; you have to use SetEnvIf to negate OIDC_CLAIM_sub, something like

SetEnvIf OIDC_CLAIM_sub "^\s*$" STS_CC_TRIGGER
STSAcceptSourceTokenIn environment name=STS_CC_TRIGGER

[drpuur]

Heureka! I guess you lead me to a working solution (still to be tested thoroughly):

        # Client Credentials fallback
        # Only set STS_CC_TRIGGER if no OIDC user is present
        RewriteCond %{ENV:OIDC_CLAIM_sub} =""
        RewriteRule ^ - [E=STS_CC_TRIGGER:true]
        STSAcceptSourceTokenIn environment name=STS_CC_TRIGGER

[drpuur]

Your solution is much nicer, will test it...

[drpuur]

First tests with SetEnvIf OIDC_CLAIM_sub "^\s*$" STS_CC_TRIGGER used the token from mod_sts for both authenticated and unauthenticated requests. The RewriteCond/RewriteRile worked for both authenticated and unauthenticated requests. But will be doing more tests tomorrow.

THANKS A LOT for your help in this matter, it made my day :-) Greetings from Switzerland!

[drpuur]

To wrap it up, this is the working config, many thanks to Hans Zandbelt!

NOTE the on_error=pass in STSExchange

<Proxy balancer://stsfallback/>
        BalancerMember [https://backend.example.com](https://backend.example.com/) route=stsfallback
 
        # Optional OIDC authentication
        AuthType openid-connect
        Require valid-user
        OIDCUnAuthAction pass
 
        # Client Credentials fallback
        # Only set STS_CC_TRIGGER if no OIDC user is present
        RewriteCond %{ENV:OIDC_CLAIM_sub} =""
        RewriteRule ^ - [E=STS_CC_TRIGGER:true]
        STSAcceptSourceTokenIn environment name=STS_CC_TRIGGER
        STSExchange cc https://as.example.com/OAuth/token auth=client_secret_basic&client_id=xxxxx&client_secret=yyyyy&on_error=pass
        STSPassTargetTokenIn header
 
        # Pass-through user token if present
        RequestHeader set Authorization "Bearer %{OIDC_access_token}e" env=OIDC_access_token
 
        Header  set     Server  "Apache (proxied)"
    </Proxy>

[zandbelt]

then I think it is just a matter of fixing the expression in setenvif, because I'd prefer that (the expression needs to test for an empty variable/string)