Can't fullfil authentication, HTTP 000

[drzraf]

Dear, I've been through the challenging process of configuring this module. (I've been an fan of mod_auth_openidc for the past 8 years).

After going back & forth with the source-code I ended-up with:

$ cat provider.json

{
  "issuer": "https://accounts.google.com",
  "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
  "introspection_endpoint": "https://www.googleapis.com/oauth2/v4/token",
  "introspect.token_param_name": "access_token"
 }

location block

            OpenIDCProvider file /etc/nginx/conf.d/provider.json;
            OpenIDCClient string unauth_action=auth&state.cookie.name.prefix=&client_id=blablablaapps.googleusercontent.com&client_secret=xxx&scope=openid%20email&token_endpoint_auth_method=client_secret_basic ssl_verify=false;

            OpenIDCClaim sub $pfc_claim_sub;
            proxy_set_header OAUTH2_CLAIM_sub $pfc_claim_sub;

Google console redirect URI configured to <my-domain>/openid-connect/redirect_uri

Now I'm looking for the equivalent of:

AuthType openid-connect
<RequireAny>
   Require claim email:[email protected]
</RequireAny>

But even before I get to authorization, I've a preliminary problem regarding authentication which happens when I hit the redirect URI:

1.2.3.4 - - [30/Jul/2025:05:07:40 +0200] "GET /openid-connect/redirect_uri?state=abc&code=4%2Fabc&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=domain.com&prompt=none HTTP/2.0" 000 0 "https://accounts.google.com/" "Mozilla/5.0"

As you can see, a 000 HTTP code is returned (nothing in the error log). More exactly, no HTTP code is returned:

HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR

Some warning, but nothing relevant related to this particular failure:

2025/07/30 05:43:53 [warn] 1215769#1215769: *434 # _oauth2_openidc_state_cookie_get: no state cookie found, client: <IP>6, server: domain, request: "GET /openid-connect/redirect_uri?state=b6965a<state>&code=4%2F0<code>&scope=email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&hd=domain.com&prompt=none HTTP/2.0", host: "domain", referrer: "https://accounts.google.com/"

2025/07/30 05:43:53 [warn] 1215769#1215769: *434 # ngx_openidc_handler: oauth2_openidc_handle failed, client: <IP>6, server: domain, request: "GET /openid-connect/redirect_uri?state=b6965a<state>&code=4%2F0<code>&scope=email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&hd=domain.com&prompt=none HTTP/2.0", host: "domain", referrer: "https://accounts.google.com/"

2025/07/30 05:43:54 [warn] 1215769#1215769: *435 # oauth2_crypto_passphrase_get: no crypto passphrase configured, generating one: configure it statically to survive restarts, client: 198.41.230.117, server: domain, request: "GET /favicon.ico HTTP/2.0", host: "domain", referrer: "https://domain/openid-connect/redirect_uri?state=b6965a<state>&code=4%2F0<code>&scope=email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&hd=domain.com&prompt=none"

This is somehow expected because oauth2_openidc_handle is really under-logged with many goto end; codepaths not triggering logging.

With debug-level:

2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_url_encode: enter: code_verifier
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_url_encode: leave: code_verifier
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_url_encode: enter: 89ce738f8ef48a<code>
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_url_encode: leave: 89ce738f8ef48a<code>
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_http_url_form_encode: data=grant_type=authorization_code&code=4%25<code>wTQA&redirect_uri=https%3A%2F%2Fdomain.com%2Fopenid-connect%2Fredirect_uri&code_verifier=89ce738f8ef48a<code>
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_http_call: enter: url=(null), data=grant_type=authorization_code&code=4%25<code>wTQA&redirect_uri=https%3A%2F%2Fdomain.com%2Fopenid-connect%2Fredirect_uri&code_verifier=89ce738f8ef48a<code>, ctx=[ ssl_verify=false basic_auth_username=<user> basic_auth_password=<pass> hdr=[ Content-Type=application/x-www-form-urlencoded ] cookie=[ ] ]
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_http_call: leave [0]: (null)
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # _oauth2_openidc_token_endpoint_call: leave: 0
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # _oauth2_openidc_token_request: leave: 0
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # _oauth2_openidc_redirect_uri_handler: leave: 0
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # _oauth2_openidc_internal_requests: leave: 0
2025/07/30 05:53:45 [debug] 1216344#1216344: *443 # oauth2_openidc_handle: return: 0
2025/07/30 05:53:45 [warn] 1216344#1216344: *443 # ngx_openidc_handler: oauth2_openidc_handle failed,

Ok, oauth2_openidc_handle: return: 0 but I still can't figure why.
At that stage, any hint would be welcome to finalize the setup.

Other probably unrelated and non-blocking problems encountered on the way but worth mentioning though:

1. I'm getting _oauth2_openidc_cookie_valid: state cookie could not be retrieved/decoded, but I'd like to go without state cookie for now. Sadly, oauth2_cfg_openidc_state_cookie_name_prefix_get() makes impossible to set it NULL and avoid this warning.
2. no crypto passphrase configured, generating one, but no configuration allows for it (also note that this shows up in the log even after oauth2_openidc_handle failed)

[zandbelt]

there should be an OIDC token endpoint in the provider.json, not an OAuth introspection endpoint

[drzraf]

Thank you.

1. I didn't saw the token endpoint is not set warning in my logs. A (wrong) default value being set? I used the info from https://accounts.google.com/.well-known/openid-configuration as I should have done from the beginning
2. no session cookie found was actually a blocker (sorry for that noise): Default is openidc_state_<state> and it's actually been set onto the client as part of the 302.
3. And the value of the cookie seems ok:

#!/bin/bash
# decrypt-openidc-cookie 
secret="$1" && shift
jwk=$(printf '{"kty":"oct","k":"%s"}' "$(echo -n "$secret" | openssl dgst -sha256 -binary | base64 | tr '+/' '-_' | tr -d '=')")
echo "$jwk" | jose jwe dec -i <(echo "$1") -k - -O - | jose jws ver -i - -k <(echo "$jwk") -O -

=> Match the debug log line oauth2_jose_jwt_encrypt: JSON payload serialized ...{"i":"https://accounts.google.com","l":"https://domain.org/favicon.ico","p":"cfeee89036123456789","m":1,"t":1753919877}

Next problem though:

2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_url_encode: enter: https://mydomain.comm/openid-connect/redirect_uri
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_url_encode: leave: https%3A%2F%2Fmydomain.comm%2Fopenid-connect%2Fredirect_uri
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # _oauth2_http_url_encode_list: processing: code_verifier=f82a847cf4a33368449854d32<code>
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_url_encode: enter: code_verifier
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_url_encode: leave: code_verifier
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_url_encode: enter: f82a847cf4a33368449854d32<code>
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_url_encode: leave: f82a847cf4a33368449854d32<code>
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_http_url_form_encode: data=grant_type=authorization_code&code=4%252F0AVMBsJh7C-GVOaM16SYgRMfrD<code>&redirect_uri=https%3A%2F%2Fmydomain.comm%2Fopenid-connect%2Fredirect_uri&code_verifier=f82a847cf4a33368449854d32<code>
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_http_call: enter: url=https://oauth2.googleapis.com/token, data=grant_type=authorization_code&code=4%252F0AVMBsJh7C-GVOaM16SYgRMfrD<code>&redirect_uri=https%3A%2F%2Fmydomain.comm%2Fopenid-connect%2Fredirect_uri&code_verifier=f82a847cf4a33368449854d32<code>, ctx=[ ssl_verify=false basic_auth_username=9940<clientid>.apps.googleusercontent.com basic_auth_password=AA<pass> hdr=[ Content-Type=application/x-www-form-urlencoded ] cookie=[ ] ]
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_http_call: HTTP response code=400
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_http_call: leave [1]: {
  "error": "invalid_grant",
  "error_description": "Malformed auth code."
}
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # _oauth2_openidc_token_endpoint_call: leave: 0
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # _oauth2_openidc_token_request: leave: 0

• 4%2F0AVMBsJh7C-GVOaM16SYgRMfrD<code> received
• 4%252F0AVMBsJh7C-GVOaM16SYgRMfrD<code> POSTed to Google

Earlier in the log:

2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_http_request_query_param_get: enter: code
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_nv_list_get: code=4%2F0AVMBsJh7C-GVOaM16SYgRMfrD<code>
2025/07/31 03:34:56 [debug] 1289911#1289911: *6449 # oauth2_http_request_query_param_get: leave: code=4%2F0AVMBsJh7C-GVOaM16SYgRMfrD<code>

Double-encoding happens which break the already encoded code. (Codepath : oauth2_http_post_form > oauth2_http_url_form_encode(log, params) > oauth2_nv_list_loop() > _oauth2_http_url_query_encode_param() > oauth2_url_encode() > curl_easy_escape())

So here I'm stuck.

Now regarding actual authentication...
4. Encountered https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-oidc/

For auth, their module is providing an auth provider.

oidc_provider my_idp { # config }
auth_oidc my_idp; # then activate the authorization

So the ngx_openidc_module counterpart is OAuth2Require but at https://github.com/OpenIDC/ngx_oauth2_module, OAuth2Claim is used, meanwhile the present README.md mentions OpenIDCClaim which I believe is the one I should use when relying upon an external OIDC provider and 3rd-party provided claims.
With this cleared I assumed I could finally copy the claims into headers and proceed with the authorization.

Apparently, there is no mention of subrequest-authentication (which sounds nice at first glance), so I'll rather reproduce the OAuth2Require $valid_sub; + mapping.

NB: I couldn't find a OAUTH2_CLAIM_hd (isn't this actually a claim?). I looked for an equivalent of OIDCAuthRequestParams which would be OpenIDCClient string params=hd=fooobar.com&..., but I couldn't yet confirm it'd work.

[zandbelt]

the parameter encoding issue turns out to be a bug in liboauth2, fixed in OpenIDC/liboauth2@6da0bad just; would you be able to confirm by building from source?