Httpd wont start: Invalid command 'OIDCStateMaxNumberOfCookies' + Dex confusion

Using RHEL 8.2 and RPM installed OnDemand 1.8, I can’t get the Apache server to start.

The error I’m seeing is

httpd[1638]: AH00526: Syntax error on line 93 of /etc/httpd/conf.d/ood-portal.conf:
httpd[1638]: Invalid command 'OIDCStateMaxNumberOfCookies', perhaps misspelled or defined by a module not included in the server configuration

Google is failing to find anything notable, I can get Apache to start if I comment the line out, but I’d prefer to get this working properly.

I’ve done the bare minimum changes cf our working 1.7 installation on CentOS 8.2, following the details here

I have confirmed that /etc/httpd/conf.modules.d/10-auth_openidc.conf loads the correct module.

Am also concerned that I have no idea what’s meant to go into a https://url:5556/.well-known/openid-configuration file, nor where that file should be - where is Dex served from? Is it /var/www/? - and don’t seem to be able to find clear documentation to that end.

The configuration process performed by update_ood_portal has automatically filled that url with the hostname of the machine in question, but I am now suspecting that the relatively well hidden line in the 1.8 documentation " * A OIDC IdP server deployed, e.g., (outside of scope of this document)" might be excluding me - unless that’s the role that Dex plays?

I will continue reading, but would appreciate help on the first hurdle - why is OIDCStateMaxNumberOfCookies throwing an error?

No, on further reading I think that Dex+LDAP(AD) config is creating my OIDC IdP server.

FWIW, here’s what’s been put into ood-portal.conf

  OIDCClientSecret <redacted>
  OIDCRemoteUserClaim preferred_username
  OIDCScope "openid profile email"
  OIDCCryptoPassphrase <redacted>
  OIDCSessionInactivityTimeout 28800
  OIDCSessionMaxDuration 28800
  OIDCStateMaxNumberOfCookies 10 true
  OIDCCookieSameSite Off

The .well-known address is autogenerated because the contents are autogenerated by Dex. Dex consists of a single binary (Go) and some static assets (HTML, CSS, images). The openid-config URL is autogenerated and should be no need to modify that. In theory all you should really have to configure for OnDemand and Dex to work is the LDAP or some form of authentication, everything else should have good enough defaults to “just work”. If there are things that are not working (besides mentioned error), or unclear, let us know.

What version of mod_auth_openidc got installed on your host? It looks like 2.3.8 was the first release to contain OIDCStateMaxNumberOfCookies. If your release is older then that will be a problem we’ll need to address by likely shipping an RPM for RHEL8 if their version is too old.

I just verified with Vagrant that the necessary configs are working with CentOS 8. I had forgotten we do ship a newer mod_auth_openidc but it appears like I mistakenly did not include that in 1.8 repos. I think that’s the issue you were facing because the RHEL8 version of mod_auth_openidc is 2.3.7 which is too old to support OIDCStateMaxNumberOfCookies

I’d recommend updating to use the mod_auth_openidc shipped by OnDemand 1.8 repos:

dnf module disable mod_auth_openidc:2.3
yum update mod_auth_openidc
1 Like

Thanks - worked a treat.

Note to self - read the Dex documentation to the end and pay attention to the optional “start the Dex service” :slight_smile: