HOWTO: CMK with OIDC authentication

Community Knowledge
,
13

I’ve created a ‘test’ site which exhibits the same symptoms using ‘omd create’.

If I change the CheckMK session timeout to 5 mins, it makes my issue easier to reproduce.

  1. Open CheckMK
  2. Login using OIDC
  3. Simulate idle session timeout by closing browser window for 5 mins
  4. Open CheckMK again
  5. OIDC redirects and re-authenticates successfully as IDP session still exists
  6. CheckMK redirects to login screen

Here’s the key lines from my apache log (I’ve redacted some info). First line is just after successful IDP authentication which contains the code. You can see username@<redacted.com> indicating mod_auth_oidc successfully parses and sets REMOTE_USER. 2nd line redirects to check_mk/index.py which in turn issues a redirect to check_mk/login.py (no REMOTE_USER)

XXX.XXX.XXX.XXX - username@redacted.com [01/Sep/2023:13:33:50 +0800] "GET /test/secure/redirect_uri?code=.............
XXX.XXX.XXX.XXX - username@redacted.com [01/Sep/2023:13:33:51 +0800] "GET /test/check_mk/index.py?start_url=%2Ftest%2Fcheck_mk%2Fdashboard.py HTTP/1.1" 302 383 "https://login.redacted-idp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188"
XXX.XXX.XXX.XXX - - [01/Sep/2023:13:33:51 +0800] "GET /test/check_mk/login.py?_origtarget=index.py%3Fstart_url%3D%252Ftest%252Fcheck_mk%252Fdashboard.py HTTP/1.1" 200 2158 "https://login.redacted-idp.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.188"

I’ve noted that when I delete the “auth_<< site >>” cookie in my browser (in my case ‘auth_test’), and request the page again, then the login flow works properly and it sets a new working auth_test cookie.

I’ve checked my apache configuration, here’s the snippet relating to cookie detection…

    <If "! %{HTTP_COOKIE} =~ /^auth_test/ && \
          ! %{REQUEST_URI} = '/test/check_mk/register_agent.py' && \
          ! %{REQUEST_URI} = '/test/check_mk/restapi.py' && \
          ! %{REQUEST_URI} = '/test/check_mk/run_cron.py' && \
          ! %{REQUEST_URI} = '/test/check_mk/automation.py' && \
          ! %{REQUEST_URI} -strmatch '/test/check_mk/api/*' && \
          ! %{REQUEST_URI} = '/test/check_mk/deploy_agent.py' && \
          ! %{REQUEST_URI} = '/test/check_mk/ajax_graph_images.py' && \
          ! %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/ && \
          ! %{REQUEST_URI} =~ m#^/test/(omd/|check_mk/((images|themes)/.*\.(png|svg)|login\.py|.*\.(css|js)))# ">

So it looks related to an issue with auth_test cookie but not sure quite what it is.

For reference, I’m on a fresh Ubuntu Server 22.04 LTS installation with OMD and CheckMK v2.2.0p7.cre (RAW)

Thanks in advance for any suggestions you may have.