Skip to content

Frequently Asked Questions

How do I ...

Wildcard my Meechum redirect URIs?

Edward can be used for whitelisting redirect URI's. Wildcard is supported in limited fashion. For, example:

1
2
3
https://myapp.prod.netflix.net:7002/meechum
https://myapp.prod.netflix.net:*/meechum
https://myapp.prod.netflix.net:*/*

End a user's session with the Meechum module?

You can end a session with the Meechum module via the /meechum?logout=my_logout_url where my_logout_url indicates the redirection URL after ending the session. This URL must be unauthenticated or else an immediate re-login will be performed

Note

By default logout page must be on the same domain as your app. If your logout URL must be on another domain, you'll need to indicate this via an override in /etc/default/ezconfig with the APACHE_MEECHUM_LOGOUT_URL variable. Additionally, the logout link will need to point at /meechum?logout= (note the dangling =). This is necessary to have the module fallback to the APACHE_MEECHUM_LOGOUT_URL.

More information is available here

How long are sessions valid within the module?

By default, sessions are valid for 2 hours (7200 seconds). This period can be extended in ezconfig up to a maximum of 8 hours using the APACHE_MEECHUM_SESSION_MAX_DURATION entry in /etc/default/ezconfig, expressed in seconds. The idle session timeout is 1 hour (3600 seconds) and can be overridden with a APACHE_MEECHUM_SESSION_INACTIVITY_TIMEOUT value expressed in seconds.

How are the sessions persisted by the module?

The Apache Meechum module use external key-value stores (Redis by default) to store encrypted session information for each authenticated user on a per-app basis. Instances deployed with the same client_id and in the same region will automatically resume sessions from the shared cache clusters.

Memcache (and evcache by extension) are also supported for session storage. These can be configured in /etc/default/ezconfig via the APACHE_MEECHUM_CACHE_TYPE and APACHE_MEECHUM_MEMCACHE_SERVER.

Support CORS?

There are several options depending on whether your CORS requests are pre-flighted or not.

If pre-flighted, the best option is to configure the Apache Meechum Module to pass all OPTIONS requests through by default so that your app can handle CORS appropriately.

If not pre-flighted, the module will need to be configured to add the Access-Control-Allow-Header or ACAO. The value of the header may be explict to match a single Origin or wildcarded to support all Origins.

This snippet will enabled reflected CORS support for domains that match the regex:

LoadModule headers_module modules/mod_headers.so

# Reflect Access-Control headers for whitelisted domain(s)
SetEnvIf Origin ^(https?://myapp\.netflix\.com(?::\d{1,5})?)$ CORS_ALLOW_ORIGIN=$1
Header always set Access-Control-Allow-Origin %{CORS_ALLOW_ORIGIN}e env=CORS_ALLOW_ORIGIN
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always set Access-Control-Allow-Credentials true
Header merge Vary "Origin"

# Always send a 200 to OPTIONS requests from *.netflix.com pages.
RewriteEngine On
RewriteOptions InheritDown
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteCond expr "%{ENV:CORS_ALLOW_ORIGIN} != ''"
RewriteRule ^(.*)$ $1 [R=200,L]

Prevent XHR calls from being redirected?

XHR requests will fail if a session expires because
Set OIDCUnAuthAction 401 and handle the 401 response code on the client side to force a new login flow.

Not all assets are equally sensitive. It's advisable to leverage the APACHE_PLAIN_LOCATIONS or APACHE_LOCATIONS_FILE field in /etc/default/ezconfig to exempt non-sensitive static assets. For example,

<LocationMatch "\.(html|js|css|htm|eot|svg|ttf|woff|woff2|ijmap|png|jpe?g)$">
AuthType None
Require all granted
</LocationMatch>

Customize the login and error pages with my own HTML+CSS+JSEdit

You can provide a path to a custom HTML error page on-instance via the APACHE_MEECHUM_ERROR_TEMPLATE in /etc/default/ezconfig. The template must include 2 strings that the module will provide at the time of the error: the error title, and the error message.

Add my own custom Apache configs?

Currently, you can add custom configs via /root/apps/apache/vhosts/myapp.conf within your project. This should be considered a last resort in the event that EzConfig cannot be contorted to meet your Apache configuration needs. Be aware that Apache configuration paths can and do change with BaseAMI updates. It recommended to avoid manual Apache configs unless absolutely necessary.

Integrate with external partners (e.g: Prodicle)

There are two simple steps to integrate with external partners: * Go to the 'Access Control' section in Edward. Choose the appropriate 'Partner Directory' selections for your environment.

  • In your ezconfig file, add the following line.
    APACHE_MEECHUM_AUTH_REQUEST_PARAMS = "auth_strategy=<auth strategy endpoint definition>"
    

Where <auth strategy endpoint definition> is one of: NetflixPartnerLogin, NetflixPartnerTestLogin, or Prodicle. Further information about optional properties can be found here: Apache Module (all languages supported)#AdditionalOptionalProperties

I'm getting an error ...

400 Bad RequestEdit

This is usually caused by exceeding header size limits. If using EzConfig you should have a TOMCAT_VERSION=8 entry in /root/etc/default/ezconfig of the repo you are baking. Only Tomcat 8 has the expanded header size configuration.

There are cache errors in my Apache logsEdit

[Wed Feb 15 00:54:08.782200 2017] [auth_openidc:error] [pid 3754:tid 140115263325952] [client 100.127.69.66:11577] 
oidc_cache_memcache_log_status_error: apr_memcache_set returned an error: [Could not find specified socket in poll list.]; check your that your memcache server is available/accessible., referer: https://myapp.dyntest.netflix.net:7002/meechum
This class of error usually indicates a connectivity problem between your instance and the Redis/Memcache server that the Apache module uses for session persistence. This could be a security group issue, or a bad hostname. Reference#: 400 - Invalid redirect_uriEdit

The redirect_uri error typically occurs when a new URL is being tested, but is not part of the app configuration. Please visit go/edward to add your new uri to your application.

ELB 504 Responses (Gateway Timeout) Edit

There seems to be a condition that occurs with ELBs and Apache KeepAlives. More details here: ezconfig - ELB 504 Responses. The theory is that ELBs currently will use HTTP 1.1 by default, which reuses connections. Apache, by default, uses KeepAlive. When KeepAlive expires according to the default KeepAlive timeout(5 seconds), connections are closed on the Apache side unbeknownst to the ELB . That action causes the next request through the ELB to fail, which cause a new HTTP connection to be rebuilt, and the cycle repeats.

OIDCClientSecret takes one argument, Client secret used in calls to OpenID Connect OPEdit

If you are seeing "OIDCClientSecret takes one argument, Client secret used in calls to OpenID Connect OP." in /apps/apache/logs/validate.log. There is a known ordering issue between EZConfig and Metatron when using Trusty. Make sure you are using Xenial.

How can I use Edward API for accessing Google group information

This can be accomplished by first requesting access to the appropriate OAuth scopes

The first required scope is

meechumsg-edwardmeechum-groups-readonly

Addtional scopes for read and/or write access are also needed

meechumsg-edwardmeechum-groups-readonly
meechumsg-edwardmeechum-groups-netflix-readonly

I'm getting DNS errors after trying to authentication with Meechum

If you are using the Apache Meechum Module and have changed your hostname at any point, you will also need update your configuration. Visit Edward to regenerate a fresh ezconfig file, or update the APACHE_HTTPSHOSTNAME in your existing ezconfig file.

How do I use Meechum for CLI operationsEdit

For command-line operations, you will have to acquire the bearer token from a web-browser (or from a utility called Postman). Some quick steps:

  • Open Google Chrome, start 'developer tools' and copy the BEARER TOKEN.
  • Open a terminal prompt and run a test curl.
(root) /tmp # export BEARER_TOKEN="<bearer token copied from Chrome browser>"

(root) /tmp # curl -H "Authorization:Bearer $BEARER_TOKEN" https://myapp.netflix.net/api/getinfo