requiring multiple claims with multi OP setup

[zandbelt]

Discussed in #770

^{Originally posted by rajeevn1 January 16, 2022}
I am using 2.4.10-1~bullseye+1 release from github with multiple providers (google, globus, gitlab).

The following works

<RequireAll>
# Require not claim email_verified:false
Require claim email~^(test1@gmail.com|test2@gmail.com)$
</RequireAll>

but when I un-comment the claim for email_verified, the authentication always fails. I have confirmed that email_verified claim, as provided by OP, is either set to true (google, gitlab), or is missing (globus).

The issue does not exist if I use any single provider setup.

I would appreciate any help in resolving the issue.

[zandbelt]

@rajeevn1 would you be able to test a fix by building from source?

[rajeevn1]

@zandbelt yes, I should be able to.

[zandbelt]

please try this branch: https://github.com/zmartzone/mod_auth_openidc/tree/fix_discovery_require_all_authz

[rajeevn1]

I am getting a different error now, I am not sure if it is a problem with my build.

The original problem of multiple claims with multi OP setup works, but only when the email claim is not a regexp. If it is a regexp then it fails.

Not working log.
nb.txt

Working log:
ng.txt

[zandbelt]

that seemed to be different issue with regular expressions, which should be fixed now on the same branch; please confirm

[rajeevn1]

now it works when OIDCDiscoverURL is not defined (it shows internal page), but with OIDCDiscoverURL defined to a custom URL it just shows a blank page.

[zandbelt]

sorry, that was an oversight in the earlier patch, corrected that now

[rajeevn1]

It works for me now.
Thank you.

[zandbelt]

I had to revert some changes: @rajeevn1 can you please confirm that 3f082c1 still works for you?

[rajeevn1]

It still works for me. Thanks.