Skip to content
Hans Zandbelt edited this page Oct 28, 2021 · 5 revisions

Apache Configuration

Sample configuration for multiple OpenID Connect providers, which triggers OpenID Connect Discovery first to find the user's OP. OIDCMetadataDir points to a directory that contains files that contain per-provider configuration data.

OIDCMetadataDir <somewhere-writable-for-the-apache-process>/metadata

OIDCRedirectURI https://www.example.com/example/redirect_uri/
OIDCCryptoPassphrase <password>

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

Metadata Directory

For each provider, there are 3 types of files in the directory:

  1. <urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.provider
    contains (standardized) OpenID Connect Discovery OP JSON metadata where each name of the file is the url-encoded issuer name of the OP that is described by the metadata in that file.

  2. <urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.client
    contains statically configured or dynamically registered Dynamic Client Registration specific JSON metadata (based on the OpenID Connect Client Registration specification) and the filename is the url-encoded issuer name of the OP that this client is registered with. Sample client metadata for issuer https://localhost:9031, so the client metadata filename is localhost%3A9031.client:

     {
         "client_id" : "ac_oic_client",
         "client_secret" : "abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication"
     }
    
  3. <urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.conf
    contains mod_auth_openidc specific custom JSON metadata that can be used to overrule some of the settings defined in auth_openidc.conf on a per-client basis. The filename is the URL-encoded issuer name of the OP that this client is registered with.

The .conf file is used to configure OP specific behavior that overrules generic configuration primitives.

OP/Client Configuration

Entries that can be included in the .conf file are:

  • ssl_validate_server

    Overrides OIDCSSLValidateServer (value 0 or 1, On/Off or boolean).

  • scope

    Overrides OIDCScope.

  • response_type

    Overrides OIDCResponseType.

  • response_mode

    Overrides OIDCResponseMode.

  • pkce_method

    Overrides OIDCPKCEMethod.

  • client_name

    Overrides OIDCClientName.

  • client_contact

    Overrides OIDCClientContact.

  • idtoken_iat_slack

    Overrides OIDCIDTokenIatSlack.

  • session_max_duration

    Overrides OIDCSessionMaxDuration.

  • jwks_refresh_interval

    Overrides OIDCJWKSRefreshInterval.

  • client_jwks_uri

    Overrides OIDCClientJwksUri.

  • id_token_signed_response_alg

    Overrides OIDCIDTokenSignedResponseAlg.

  • id_token_encrypted_response_alg

    Overrides OIDCIDTokenEncryptedResponseAlg.

  • id_token_encrypted_response_enc

    Overrides OIDCIDTokenEncryptedResponseEnc.

  • userinfo_signed_response_alg

    Overrides OIDCUserInfoSignedResponseAlg.

  • userinfo_encrypted_response_alg

    Overrides OIDCUserInfoEncryptedResponseAlg.

  • userinfo_encrypted_response_enc

    Overrides OIDCUserInfoEncryptedResponseEnc.

  • auth_request_params

    Overrides OIDCAuthRequestParams.

  • token_endpoint_params

    Overrides OIDCProviderTokenEndpointParams.

  • token_endpoint_auth

    Overrides OIDCProviderTokenEndpointAuth.

  • registration_endpoint_json

    Overrides OIDCProviderRegistrationEndpointJson.

  • userinfo_refresh_interval

    Overrides OIDCUserInfoRefreshInterval.

  • userinfo_token_method

    Overrides OIDCUserInfoTokenMethod.

  • request_object

    Overrides OIDCRequestObject.

  • auth_request_method

    Overrides OIDCProviderAuthRequestMethod.

  • registration_token

    (only in multi-provider setups)

    An access_token that will be used on client registration calls for the associated OP.

  • issuer_specific_redirect_uri

    (only in multi-provider setups)

    Indicates whether an issuer specific redirect URI will be used to mitigate the IDP mixup attack; see https://github.com/pingidentity/mod_auth_openidc/issues/291; when enabled, a query parameter "iss" will be added dynamically to the redirect URI with the value of the url-encoded issuer identifier (boolean) [since version 2.3.2rc6).

  • keys

    (only in multi-provider setups, since version 2.4.0)

    A set of JWKs that is used to sign, encrypt and decrypt tokens exchanged with the OpenID Connect Provider. See RFC 7517 for syntax and examples.

Sample

Below is sample client metadata for issuer https://localhost:9031, so the mod_auth_openidc configuration filename is localhost%3A9031.conf:

{
  "ssl_validate_server" : 0,
  "scope" : "openid email profile"
}

Discovery

If you do not want to use the internal discovery page (you really shouldn't...), you can have the user being redirected to an external discovery page by setting OIDCDiscoverURL. That URL will be accessed with a number parameters: oidc_callback, target_link_uri, method and x_csrf. All parameters (except oidc_callback) need to be returned to the oidc_callback URL together with an iss parameter that contains the URL-encoded issuer value of the selected Provider, or a URL-encoded account name for OpenID Connect Discovery purposes (aka. e-mail style identifier), or a domain name.

Sample callback:

<oidc_callback>?target_link_uri=<target_link_uri>&iss=[<issuer>|<domain>|<e-mail-style-account-name>][&login_hint=<name>][&scopes=<space-separated-scopes>][&auth_request_params=<urlencoded-query-string>]

This is also the OpenID Connect specified way of triggering 3rd party initiated SSO to a specific provider when multiple OPs have been configured. In that case the callback may also contain a "login_hint" parameter with the login identifier the user might use to log in.

An additional mod_auth_openidc specific parameter named auth_request_params may also be passed in, see the Wiki for its usage.

Authorization

If you need to restrict certain Locations to a single provider and you want to skip the Discovery page for those locations, immediately redirecting the the appropriate Provider, see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#3-access-to-different-url-paths-on-a-per-provider-basis