Merge pull request #282 from jvlcek/oidc_to_httpd_config_issue_19866

Move API OpenID-Connect support to Apache configuration (cherry picked from commit 34c78fd)
ManageIQ · May 12, 2020 · 5a9e445 · 5a9e445
1 parent e528dd0
commit 5a9e445
Showing 1 changed file with 27 additions and 6 deletions.
diff --git a/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb b/TEMPLATE/etc/httpd/conf.d/manageiq-external-auth-openidc.conf.erb
@@ -2,15 +2,36 @@ LoadModule auth_openidc_module modules/mod_auth_openidc.so
 ServerName https://<%= miq_appliance %>
 LogLevel   warn
 
-OIDCProviderMetadataURL  <%= oidc_provider_metadata_url %>
-OIDCCLientID             <%= oidc_client_id %>
-OIDCClientSecret         <%= oidc_client_secret %>
-OIDCRedirectURI          https://<%= miq_appliance %>/oidc_login/redirect_uri
-OIDCCryptoPassphrase     sp-cookie
-OIDCOAuthRemoteUserClaim username
+OIDCProviderMetadataURL            <%= oidc_provider_metadata_url %>
+OIDCCLientID                       <%= oidc_client_id %>
+OIDCClientSecret                   <%= oidc_client_secret %>
+OIDCRedirectURI                    https://<%= miq_appliance %>/oidc_login/redirect_uri
+OIDCCryptoPassphrase               sp-cookie
+OIDCOAuthRemoteUserClaim           username
+OIDCOAuthClientID                  <%= oidc_client_id %>
+OIDCOAuthClientSecret              <%= oidc_client_secret %>
+OIDCOAuthIntrospectionEndpoint     <%= oidc_introspection_endpoint %>
+OIDCOAuthIntrospectionEndpointAuth client_secret_basic
 
 <Location /oidc_login>
   AuthType  openid-connect
   Require   valid-user
 </Location>
 
+<LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)>
+  SetEnvIf Authorization '^Basic +YWRtaW46'     let_admin_in
+  SetEnvIf X-Auth-Token  '^.+$'                 let_api_token_in
+  SetEnvIf X-MIQ-Token   '^.+$'                 let_sys_token_in
+  SetEnvIf X-CSRF-Token  '^.+$'                 let_csrf_token_in
+
+  AuthType     oauth20
+  AuthName     "External Authentication (oidc) for API"
+
+  Require   valid-user
+  Order          Allow,Deny
+  Allow from env=let_admin_in
+  Allow from env=let_api_token_in
+  Allow from env=let_sys_token_in
+  Allow from env=let_csrf_token_in
+  Satisfy Any
+</LocationMatch>