Apache OpenID Connect
This projects allows you to turn Apache into an OpenID Connect Provider (OP). This is useful if you currently have an environment that's currently protected by Apache's Basic or Digest Authentication, and want to use that authentication in related environments without sharing password files.
It builds on top of Brent Shaffer's https://github.com/bshaffer/oauth2-server-php for all the OAuth/OIDC related magic, so big thanks to him for that effort.
Before starting, please make sure you're familiar with both OAuth2 and OpenID Connect.
Getting things to work requires a couple of steps:
- Configure oauth2-server-php
- Generate keys
- Configure apache
oauth2-server-php requires a database to function. For this project we assume a mysql database. First, copy
config.php and modify accordingly. Then do
php generate-sql.php | mysql -u <your user> -p <your database> to generate the schema. Then define your first OAuth Client by inserting a row in the
OpenID Connect needs a private/public key pair to sign its tokens. First create a
keys directory in the root and
cd into it, then invoke
../bin/generate-keys.sh to generate the key pair.
First configure Apache such that you can access
www-root through it. Then setup Apache to require authentication for the
www-root/authorization.php file. An example
.htaccess file for doing so can be found in
examples/htaccess. Now, when you visit
authorization.php?client_id=<your client id>&state=<csrf state>&response_type=code&scope=openid, you should be requested to enter your credentials and be asked whether you want to Authorize the client.