Search code examples

How to pass user's claim to upstream layer using mod_auth_openidc?

I've successfully provisioned apache web server using mod_auth_openidc to protect our internal dashboards, using Auth0 and Google App Oauth, described in this documentation: - - (without using auth0 rule pipeline)

My question is how to pass the user's claim to the upstream layer (our internal tools/dashboards) as http header? Is it possible?

Regards, Agung


I've tried with the suggestion here, here's the snippet of my /etc/apache2/sites-available/000-default.conf

<VirtualHost *:443>
ServerName my-host-name
UseCanonicalName on
ProxyPreserveHost on
DocumentRoot /var/www/html

# Pass the user's claim as http headers
OIDCPassClaimsAs "headers"
OIDCPassUserInfoAs "claims"
OIDCPassRefreshToken "On"
<Location />
  AuthType openid-connect

    Require claim email~^(.*)$
    Require claim email_verified:true

  ProxyPass http://echo-server.default.svc.cluster.local:8080/
  ProxyPassReverse http://echo-server.default.svc.cluster.local:8080/
  LogLevel debug


I am using echoserver ( as the backend of http://echo-server.default.svc.cluster.local:8080, and it doesn't print any user's claim as http headers. Is there any misconfiguration on my part? How to debug this problem?


  • That's what the module does by default: it will pass the user's claims in both environment variables and headers, which can be configured with OIDCPassClaimsAs as documented in:

    # Define the way in which the claims and tokens are passed to the application environment:
    # "none": no claims/tokens are passed
    # "environment": claims/tokens are passed as environment variables
    # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
    # "both": claims/tokens are passed as both headers as well as environment variables (default)
    # When not defined the default is "both"
    # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
    # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
    #OIDCPassClaimsAs [none|headers|environment|both]

    Note that those headers are added to the backend HTTP request that is propagated to the application so you won't see them in a browser.