I'm not sure if this is something handled in OIDC or apache in general but what I'm seeing is this and was hoping for some advice:
A customer is logged into multiple Google accounts and at the Account Chooser they click the wrong account they get a 401 Unauthorized
They then try to go back to the OIDC server and they continue to get the unauthorized. This is true even if they clear cookies etc.
The only reliable way I can get them to log back in is they open a private window in safari or another personality in Chrome.
Is there a way to have a 401 redirect to the Google Account Chooser and then allow apache to retry? Basically the once they get a 401 from apache - via openidc - there is no good way to reauth again. Is there some way to make retrying login easier for people?
Thanks in advance. My configs are below:
<VirtualHost _default_:443>
ServerName nameofserver.com
ServerAdmin ops@nameofserver.com
DocumentRoot /var/www/html
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
SetEnvIf Origin "^(.*\.nameofserver\.co,)$" ORIGIN_SUB_DOMAIN=$1
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header always set Access-Control-Allow-Credentials "true"
ErrorDocument 503 "A custom error message"
RequestHeader set X-Forwarded-Proto "https" early
LimitRequestFieldSize 65000
SSLEngine on
SSLCertificateFile /etc/apache2/pathtoprivcert
SSLCertificateKeyFile /etc/apache2/ssl/pathtoprivkey
SSLProtocol TLSv1.1 TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
SSLCompression off
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID clientIDfromGoogle@google.com
OIDCClientSecret Averysecrtkey
OIDCScope "openid email profile"
OIDCRedirectURI https://www.nameofserver.com/oauth2callback
OIDCCryptoPassphrase Alsoverysecurekey
OIDCSessionInactivityTimeout 86400
OIDCCookiePath /
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
LogLevel info
<Proxy balancer://http-nameofserver>
BalancerMember http://www1.nameofserver.com route=0
BalancerMember http://www2.nameofserver.com route=1
BalancerMember http://www3.nameofserver.com route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
ProxySet failonstatus=503
ProxySet maxattempts=2
</Proxy>
<Proxy balancer://ws-nameofserver>
BalancerMember ws://www1.nameofserver.com route=0
BalancerMember ws://www2.nameofserver.com route=1
BalancerMember ws://www3.nameofserver.com route=2
ProxySet lbmethod=byrequests
ProxySet stickysession=ROUTEID
ProxySet failonstatus=503
ProxySet maxattempts=2
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) balancer://ws-nameofserver/$1 [P,L]
ProxyPreserveHost on
ProxyPass / balancer://http-nameofserver/
ProxyPassReverse / balancer://http-nameofserver/
ProxyPass /socket.io/ balancer://ws-nameofserver/socket.io/
ProxyPassReverse /socket.io/ balancer://ws-nameofserver/socket.io/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Location />
AuthType openid-connect
Require host somealloweddomain.com
Require claim hd:corpsite.com
Require claim hd:someotherdomain.com
Require claim hd:yetanothercompany.com
</Location>
<LocationMatch "^(?!/t/|/an-url|/another-url|/lasturl)/[^/]+">
OIDCUnAuthAction 401
</LocationMatch>
</VirtualHost>
You can add a custom parameter prompt=select_account in the authentication requests as described in:
https://github.com/pingidentity/mod_auth_openidc/wiki#13-how-can-i-add-custom-parameters-to-the-authorization-request
So in your case add:
OIDCAuthRequestParams prompt=select_account