Hello everybody, I’ve been trying to figure this out for several weeks now and have made little progress. Just to give you an example, here’s the Apache2 configuration:
ServerName 192.168.56.101
Listen 5602
<VirtualHost *:5602>
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCProviderMetadataURL http://192.168.56.101:8080/realms/master/.well-known/openid-configuration
OIDCClientID mvar
OIDCClientSecret rgUJdVaiBrIwTJeLkXow978SXW7k7rfB
OIDCRedirectURI /oidc/callback
OIDCSSLValidateServer Off
# OIDCProviderTokenEndpointAuth client_secret_basic
# OIDCRemoteUserClaim preferred_username
# OIDCRemoteUserClaim email
# OIDCScope "openid email apache-scope"
<Location /oidc>
AuthType openid-connect
Require valid-user
ProxyPass http://127.0.0.1:5601/
# ProxyPassReverse http://127.0.0.1:5601/
LogLevel debug
</Location>
</VirtualHost>
Listen 5600
<VirtualHost *:5600>
ProxyPreserveHost On
ProxyPass / http://localhost:5601/
# ProxyPassReverse /kibana http://localhost:5601/
</VirtualHost>
I have kibana on VM localhost:5601, when I access to [ExternalVirtualMachineIP]:5600, apache2 redirects me to kibana, but i can’t make it work virtual host 5602 so that after authorization in keycloack I need to get redirected to locahhost:5601 kibana?
I can’t figure out what I need to specify in OIDCRedirectURI? after all, I need to actually redirect to the same virtual host after authorization? maybe someone has some ideas about this? what am I doing wrong?
[Fri Jun 02 10:49:29.719052 2023] [authz_core:debug] [pid 53762:tid 140342250682112] mod_authz_core.c(817): [client 192.168.56.101:57648] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jun 02 10:49:29.719094 2023] [authz_core:debug] [pid 53762:tid 140342250682112] mod_authz_core.c(817): [client 192.168.56.101:57648] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jun 02 10:49:29.719119 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/mod_auth_openidc.c(3917): [client 192.168.56.101:57648] oidc_check_user_id: incoming request: "/oidc/?(null)", ap_is_initial_req(r)=1
[Fri Jun 02 10:49:29.719135 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Cookie=sid=Fe26.2**f4b4d0e7a7311c06038c61f4ecee3965c5cbff806ecf9d8db9bb5fde0bcc9b65*tozjUIOqHXRwJFc0yI68fQ*0AyFJ2bAM_VQDq0mrfHMAqDNCrcP9jNN8h7SCH4uVo3AqiZAPeIn6eh6DwdjkinC4dU2GquytIoZnPjt-KvM3z86oc_yJYRPyAtZgU_FAVeLF2NAbdh865sJ0rH9ROaj45grtrSXXEQjm7uaVwF5dZmrjaOCCAqPRZEvJHv5ln3dm-r4M5U1cKeAY0mn7Gb7mGVpoIrgpkMeigoD5P6gKCMnKT9q8mm74QF4nyws9Fw7ZMSVAGg7aucRDlpI3iys**422ee16b1735521f8bfeb6b0b5e74e759d29fde5a643705428459b38d4b023f6*Jz1zHVrmnklcW2BCC8PumH8amcVM9jSyfW2gsMimvYQ
[Fri Jun 02 10:49:29.719143 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(1054): [client 192.168.56.101:57648] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Fri Jun 02 10:49:29.719148 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(1217): [client 192.168.56.101:57648] oidc_util_request_matches_url: comparing "/oidc/"=="/oidc/callback/"
[Fri Jun 02 10:49:29.719153 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
[Fri Jun 02 10:49:29.719161 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Host=192.168.56.101:5602
[Fri Jun 02 10:49:29.719169 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Host=192.168.56.101:5602
[Fri Jun 02 10:49:29.719174 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(518): [client 192.168.56.101:57648] oidc_get_current_url: current URL 'http://192.168.56.101:5602/oidc/'
[Fri Jun 02 10:49:29.719178 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/mod_auth_openidc.c(2386): [client 192.168.56.101:57648] oidc_authenticate_user: enter
[Fri Jun 02 10:49:29.719182 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/cache/common.c(578): [client 192.168.56.101:57648] oidc_cache_get: enter: http://192.168.56.101:8080/realms/master/.well-known/openid-configuration (section=p, decrypt=0, type=shm)
[Fri Jun 02 10:49:29.719201 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/cache/common.c(612): [client 192.168.56.101:57648] oidc_cache_get: cache hit: return 5928 bytes from shm cache backend for key http://192.168.56.101:8080/realms/master/.well-known/openid-configuration
[Fri Jun 02 10:49:29.719539 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/proto.c(81): [client 192.168.56.101:57648] oidc_proto_generate_random_bytes: apr_generate_random_bytes call for 32 bytes
[Fri Jun 02 10:49:29.719573 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/proto.c(85): [client 192.168.56.101:57648] oidc_proto_generate_random_bytes: apr_generate_random_bytes returned
[Fri Jun 02 10:49:29.719581 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(1217): [client 192.168.56.101:57648] oidc_util_request_matches_url: comparing "/oidc/"=="/oidc/callback/"
[Fri Jun 02 10:49:29.719600 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/mod_auth_openidc.c(232): [client 192.168.56.101:57648] oidc_get_browser_state_hash: enter
[Fri Jun 02 10:49:29.719606 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: User-Agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
[Fri Jun 02 10:49:29.719686 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2098): [client 192.168.56.101:57648] oidc_util_create_symmetric_key: key_len=32
[Fri Jun 02 10:49:29.719784 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Cookie=sid=Fe26.2**f4b4d0e7a7311c06038c61f4ecee3965c5cbff806ecf9d8db9bb5fde0bcc9b65*tozjUIOqHXRwJFc0yI68fQ*0AyFJ2bAM_VQDq0mrfHMAqDNCrcP9jNN8h7SCH4uVo3AqiZAPeIn6eh6DwdjkinC4dU2GquytIoZnPjt-KvM3z86oc_yJYRPyAtZgU_FAVeLF2NAbdh865sJ0rH9ROaj45grtrSXXEQjm7uaVwF5dZmrjaOCCAqPRZEvJHv5ln3dm-r4M5U1cKeAY0mn7Gb7mGVpoIrgpkMeigoD5P6gKCMnKT9q8mm74QF4nyws9Fw7ZMSVAGg7aucRDlpI3iys**422ee16b1735521f8bfeb6b0b5e74e759d29fde5a643705428459b38d4b023f6*Jz1zHVrmnklcW2BCC8PumH8amcVM9jSyfW2gsMimvYQ
[Fri Jun 02 10:49:29.719807 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(944): [client 192.168.56.101:57648] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Fri Jun 02 10:49:29.719813 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2387): [client 192.168.56.101:57648] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_state_CJJ0h7Cj8vqu4Gprix72Oy_NxKc=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..19enlQ99HOwUxOhd.PJ5kPfb5gyfADAzQcSk5sw4d3-x4_t0SNlOGGiim7WohB9tMZsGUW-Ds1sdQOGC0q_Tt2E6XdOO882UJBnKXn1DP2vZyO3P4qDe8t_wK0rtOypYi1bDLdWXWXaUOwkyDSZunG5BWNycmp9BWelQUjnnH_SisHfPqqiL7WZtYx1HhRKuiVvZ-Kw7IvMGLjXEcPvvYzFG2einIB1ZRLaPD2m4M-6orLmyR5iHB8ZwQvJi7OlCFSDSKEyIgYRjtXPcArMyTl-wbinIja9vqKnSA9zrDYRBeMwjA4pSHcHPgVEEmPx5JurHUQaTyfFjySLDL9-Ib0IUwpaPJaEXsg5WHQhCFCoopxwN34V4FpRI54_2EX0Aoyj5OTrabI855GWxtizWcFADT0R-c74S8E20.g5GOAfJ76EM_3qZ6T-amhw; Path=/; HttpOnly; SameSite=None
[Fri Jun 02 10:49:29.719829 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/proto.c(655): [client 192.168.56.101:57648] oidc_proto_authorization_request: enter, issuer=http://192.168.56.101:8080/realms/master, redirect_uri=http://192.168.56.101:5602/oidc/callback/, state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc, proto_state={"ou":"http://192.168.56.101:5602/oidc/","om":"get","i":"http://192.168.56.101:8080/realms/master","rt":"code","n":"SvaDewMBzpU6mfzwgYAfjP_iU7urSFR3ZRXb1Qajx4s","t":1685695769}, code_challenge=(null), auth_request_params=(null), path_scope=(null)
[Fri Jun 02 10:49:29.719837 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(619): [client 192.168.56.101:57648] oidc_util_http_add_form_url_encoded_param: processing: response_type=code
[Fri Jun 02 10:49:29.719898 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(619): [client 192.168.56.101:57648] oidc_util_http_add_form_url_encoded_param: processing: scope=openid
[Fri Jun 02 10:49:29.719913 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(619): [client 192.168.56.101:57648] oidc_util_http_add_form_url_encoded_param: processing: client_id=mvar
[Fri Jun 02 10:49:29.719925 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(619): [client 192.168.56.101:57648] oidc_util_http_add_form_url_encoded_param: processing: state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc
[Fri Jun 02 10:49:29.719939 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(619): [client 192.168.56.101:57648] oidc_util_http_add_form_url_encoded_param: processing: redirect_uri=http://192.168.56.101:5602/oidc/callback/
[Fri Jun 02 10:49:29.719952 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(619): [client 192.168.56.101:57648] oidc_util_http_add_form_url_encoded_param: processing: nonce=SvaDewMBzpU6mfzwgYAfjP_iU7urSFR3ZRXb1Qajx4s
[Fri Jun 02 10:49:29.719973 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(648): [client 192.168.56.101:57648] oidc_util_http_query_encoded_url: url=http://192.168.56.101:8080/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=mvar&state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc&redirect_uri=http%3A%2F%2F192.168.56.101%3A5602%2Foidc%2Fcallback%2F&nonce=SvaDewMBzpU6mfzwgYAfjP_iU7urSFR3ZRXb1Qajx4s
[Fri Jun 02 10:49:29.719981 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2365): [client 192.168.56.101:57648] oidc_util_hdr_table_set: Location: http://192.168.56.101:8080/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=mvar&state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc&redirect_uri=http%3A%2F%2F192.168.56.101%3A5602%2Foidc%2Fcallback%2F&nonce=SvaDewMBzpU6mfzwgYAfjP_iU7urSFR3ZRXb1Qajx4s
[Fri Jun 02 10:49:29.719987 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/util.c(2387): [client 192.168.56.101:57648] oidc_util_hdr_err_out_add: Cache-Control: no-cache, no-store, max-age=0
[Fri Jun 02 10:49:29.719990 2023] [auth_openidc:debug] [pid 53762:tid 140342250682112] src/proto.c(782): [client 192.168.56.101:57648] oidc_proto_authorization_request: return: 302
[Fri Jun 02 10:49:29.737654 2023] [authz_core:debug] [pid 53762:tid 140342242289408] mod_authz_core.c(817): [client 192.168.56.101:57648] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Fri Jun 02 10:49:29.737693 2023] [authz_core:debug] [pid 53762:tid 140342242289408] mod_authz_core.c(817): [client 192.168.56.101:57648] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Fri Jun 02 10:49:29.737703 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/mod_auth_openidc.c(3917): [client 192.168.56.101:57648] oidc_check_user_id: incoming request: "/oidc/callback/?state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc&session_state=84798091-324c-4c03-8caf-ae24459dc435&code=957f6eae-391b-49ca-b71b-70f69e9f2f70.84798091-324c-4c03-8caf-ae24459dc435.8c3f6056-532d-4989-81b9-d4c289e4d5a6", ap_is_initial_req(r)=1
[Fri Jun 02 10:49:29.737713 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Cookie=sid=Fe26.2**f4b4d0e7a7311c06038c61f4ecee3965c5cbff806ecf9d8db9bb5fde0bcc9b65*tozjUIOqHXRwJFc0yI68fQ*0AyFJ2bAM_VQDq0mrfHMAqDNCrcP9jNN8h7SCH4uVo3AqiZAPeIn6eh6DwdjkinC4dU2GquytIoZnPjt-KvM3z86oc_yJYRPyAtZgU_FAVeLF2NAbdh865sJ0rH9ROaj45grtrSXXEQjm7uaVwF5dZmrjaOCCAqPRZEvJHv5ln3dm-r4M5U1cKeAY0mn7Gb7mGVpoIrgpkMeigoD5P6gKCMnKT9q8mm74QF4nyws9Fw7ZMSVAGg7aucRDlpI3iys**422ee16b1735521f8bfeb6b0b5e74e759d29fde5a643705428459b38d4b023f6*Jz1zHVrmnklcW2BCC8PumH8amcVM9jSyfW2gsMimvYQ
[Fri Jun 02 10:49:29.737720 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1054): [client 192.168.56.101:57648] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Fri Jun 02 10:49:29.737726 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1217): [client 192.168.56.101:57648] oidc_util_request_matches_url: comparing "/oidc/callback/"=="/oidc/callback/"
[Fri Jun 02 10:49:29.737739 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/mod_auth_openidc.c(2209): [client 192.168.56.101:57648] oidc_handle_redirect_authorization_response: enter
[Fri Jun 02 10:49:29.737783 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1529): [client 192.168.56.101:57648] oidc_util_read_form_encoded_params: read: state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc
[Fri Jun 02 10:49:29.737802 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1529): [client 192.168.56.101:57648] oidc_util_read_form_encoded_params: read: session_state=84798091-324c-4c03-8caf-ae24459dc435
[Fri Jun 02 10:49:29.737813 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1529): [client 192.168.56.101:57648] oidc_util_read_form_encoded_params: read: code=957f6eae-391b-49ca-b71b-70f69e9f2f70.84798091-324c-4c03-8caf-ae24459dc435.8c3f6056-532d-4989-81b9-d4c289e4d5a6
[Fri Jun 02 10:49:29.737827 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1533): [client 192.168.56.101:57648] oidc_util_read_form_encoded_params: parsed: 200 bytes into 3 elements
[Fri Jun 02 10:49:29.737832 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/mod_auth_openidc.c(2036): [client 192.168.56.101:57648] oidc_handle_authorization_response: enter, response_mode=query
[Fri Jun 02 10:49:29.737837 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/mod_auth_openidc.c(1667): [client 192.168.56.101:57648] oidc_authorization_response_match_state: enter (state=CJJ0h7Cj8vqu4Gprix72Oy_NxKc)
[Fri Jun 02 10:49:29.737841 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/mod_auth_openidc.c(805): [client 192.168.56.101:57648] oidc_restore_proto_state: enter
[Fri Jun 02 10:49:29.737846 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Cookie=sid=Fe26.2**f4b4d0e7a7311c06038c61f4ecee3965c5cbff806ecf9d8db9bb5fde0bcc9b65*tozjUIOqHXRwJFc0yI68fQ*0AyFJ2bAM_VQDq0mrfHMAqDNCrcP9jNN8h7SCH4uVo3AqiZAPeIn6eh6DwdjkinC4dU2GquytIoZnPjt-KvM3z86oc_yJYRPyAtZgU_FAVeLF2NAbdh865sJ0rH9ROaj45grtrSXXEQjm7uaVwF5dZmrjaOCCAqPRZEvJHv5ln3dm-r4M5U1cKeAY0mn7Gb7mGVpoIrgpkMeigoD5P6gKCMnKT9q8mm74QF4nyws9Fw7ZMSVAGg7aucRDlpI3iys**422ee16b1735521f8bfeb6b0b5e74e759d29fde5a643705428459b38d4b023f6*Jz1zHVrmnklcW2BCC8PumH8amcVM9jSyfW2gsMimvYQ
[Fri Jun 02 10:49:29.737853 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(2309): [client 192.168.56.101:57648] oidc_util_hdr_in_get: Cookie=sid=Fe26.2**f4b4d0e7a7311c06038c61f4ecee3965c5cbff806ecf9d8db9bb5fde0bcc9b65*tozjUIOqHXRwJFc0yI68fQ*0AyFJ2bAM_VQDq0mrfHMAqDNCrcP9jNN8h7SCH4uVo3AqiZAPeIn6eh6DwdjkinC4dU2GquytIoZnPjt-KvM3z86oc_yJYRPyAtZgU_FAVeLF2NAbdh865sJ0rH9ROaj45grtrSXXEQjm7uaVwF5dZmrjaOCCAqPRZEvJHv5ln3dm-r4M5U1cKeAY0mn7Gb7mGVpoIrgpkMeigoD5P6gKCMnKT9q8mm74QF4nyws9Fw7ZMSVAGg7aucRDlpI3iys**422ee16b1735521f8bfeb6b0b5e74e759d29fde5a643705428459b38d4b023f6*Jz1zHVrmnklcW2BCC8PumH8amcVM9jSyfW2gsMimvYQ
[Fri Jun 02 10:49:29.737860 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(1054): [client 192.168.56.101:57648] oidc_util_get_cookie: returning "mod_auth_openidc_state_CJJ0h7Cj8vqu4Gprix72Oy_NxKc" = <null>
[Fri Jun 02 10:49:29.737864 2023] [auth_openidc:error] [pid 53762:tid 140342242289408] [client 192.168.56.101:57648] oidc_restore_proto_state: no "mod_auth_openidc_state_CJJ0h7Cj8vqu4Gprix72Oy_NxKc" state cookie found
[Fri Jun 02 10:49:29.737869 2023] [auth_openidc:warn] [pid 53762:tid 140342242289408] [client 192.168.56.101:57648] oidc_proto_peek_jwt_header: could not parse first element separated by "." from input
[Fri Jun 02 10:49:29.737873 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/mod_auth_openidc.c(537): [client 192.168.56.101:57648] oidc_unsolicited_proto_state: enter: state header=(null)
[Fri Jun 02 10:49:29.737890 2023] [auth_openidc:debug] [pid 53762:tid 140342242289408] src/util.c(2098): [client 192.168.56.101:57648] oidc_util_create_symmetric_key: key_len=32
[Fri Jun 02 10:49:29.737913 2023] [auth_openidc:error] [pid 53762:tid 140342242289408] [client 192.168.56.101:57648] oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose.c:754: oidc_jwt_parse]: cjose_jws_import failed: invalid argument [file: jws.c, function: cjose_jws_import, line: 781]
[Fri Jun 02 10:49:29.737920 2023] [auth_openidc:error] [pid 53762:tid 140342242289408] [client 192.168.56.101:57648] oidc_authorization_response_match_state: unable to restore state
[Fri Jun 02 10:49:29.737924 2023] [auth_openidc:error] [pid 53762:tid 140342242289408] [client 192.168.56.101:57648] oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error...
I constantly get different Apache2 errors, the log analysis does not help in any way…
Thank you for reading…