Multiple Providers

Apache Configuration

Sample configuration for multiple OpenID Connect providers, which triggers OpenID Connect Discovery first to find the user's OP. OIDCMetadataDir points to a directory that contains files that contain per-provider configuration data.

OIDCMetadataDir <somewhere-writable-for-the-apache-process>/metadata

OIDCRedirectURI https://www.example.com/example/redirect_uri/
OIDCCryptoPassphrase <password>

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

Metadata Directory

For each provider, there are 3 types of files in the directory:

<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.provider
contains (standardized) OpenID Connect Discovery OP JSON metadata where each name of the file is the url-encoded issuer name of the OP that is described by the metadata in that file.
<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.client
contains statically configured or dynamically registered Dynamic Client Registration specific JSON metadata (based on the OpenID Connect Client Registration specification) and the filename is the url-encoded issuer name of the OP that this client is registered with. Sample client metadata for issuer https://localhost:9031, so the client metadata filename is localhost%3A9031.client:
```
 {
     "client_id" : "ac_oic_client",
     "client_secret" : "abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication"
 }
```
<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.conf
contains mod_auth_openidc specific custom JSON metadata that can be used to overrule some of the settings defined in auth_openidc.conf on a per-client basis. The filename is the URL-encoded issuer name of the OP that this client is registered with.

The .conf file is used to configure OP specific behavior that overrules generic configuration primitives.

OP/Client Configuration

Entries that can be included in the .conf file are:

ssl_validate_server

Overrides OIDCSSLValidateServer (value 0 or 1, On/Off or boolean).
scope

Overrides OIDCScope.
response_type

Overrides OIDCResponseType.
response_mode

Overrides OIDCResponseMode.
pkce_method

Overrides OIDCPKCEMethod.
client_name

Overrides OIDCClientName.
client_contact

Overrides OIDCClientContact.
idtoken_iat_slack

Overrides OIDCIDTokenIatSlack.
session_max_duration

Overrides OIDCSessionMaxDuration.
jwks_refresh_interval

Overrides OIDCJWKSRefreshInterval.
client_jwks_uri

Overrides OIDCClientJwksUri.
id_token_signed_response_alg

Overrides OIDCIDTokenSignedResponseAlg.
id_token_encrypted_response_alg

Overrides OIDCIDTokenEncryptedResponseAlg.
id_token_encrypted_response_enc

Overrides OIDCIDTokenEncryptedResponseEnc.
userinfo_signed_response_alg

Overrides OIDCUserInfoSignedResponseAlg.
userinfo_encrypted_response_alg

Overrides OIDCUserInfoEncryptedResponseAlg.
userinfo_encrypted_response_enc

Overrides OIDCUserInfoEncryptedResponseEnc.
auth_request_params

Overrides OIDCAuthRequestParams.
token_endpoint_params

Overrides OIDCProviderTokenEndpointParams.
token_endpoint_auth

Overrides OIDCProviderTokenEndpointAuth.
registration_endpoint_json

Overrides OIDCProviderRegistrationEndpointJson.
userinfo_refresh_interval

Overrides OIDCUserInfoRefreshInterval.
userinfo_token_method

Overrides OIDCUserInfoTokenMethod.
request_object

Overrides OIDCRequestObject.
auth_request_method

Overrides OIDCProviderAuthRequestMethod.
registration_token

(only in multi-provider setups)

An access_token that will be used on client registration calls for the associated OP.
issuer_specific_redirect_uri

(only in multi-provider setups)

Indicates whether an issuer specific redirect URI will be used to mitigate the IDP mixup attack; see https://github.com/pingidentity/mod_auth_openidc/issues/291; when enabled, a query parameter "iss" will be added dynamically to the redirect URI with the value of the url-encoded issuer identifier (boolean) [since version 2.3.2rc6).
keys

(only in multi-provider setups, since version 2.4.0)

A set of JWKs that is used to sign, encrypt and decrypt tokens exchanged with the OpenID Connect Provider. See RFC 7517 for syntax and examples.

Sample

Below is sample client metadata for issuer https://localhost:9031, so the mod_auth_openidc configuration filename is localhost%3A9031.conf:

{
  "ssl_validate_server" : 0,
  "scope" : "openid email profile"
}

Discovery

If you do not want to use the internal discovery page (you really shouldn't...), you can have the user being redirected to an external discovery page by setting OIDCDiscoverURL. That URL will be accessed with a number parameters: oidc_callback, target_link_uri, method and x_csrf. All parameters (except oidc_callback) need to be returned to the oidc_callback URL together with an iss parameter that contains the URL-encoded issuer value of the selected Provider, or a URL-encoded account name for OpenID Connect Discovery purposes (aka. e-mail style identifier), or a domain name.

Sample callback:

<oidc_callback>?target_link_uri=<target_link_uri>&iss=[<issuer>|<domain>|<e-mail-style-account-name>][&login_hint=<name>][&scopes=<space-separated-scopes>][&auth_request_params=<urlencoded-query-string>]

This is also the OpenID Connect specified way of triggering 3rd party initiated SSO to a specific provider when multiple OPs have been configured. In that case the callback may also contain a "login_hint" parameter with the login identifier the user might use to log in.

An additional mod_auth_openidc specific parameter named auth_request_params may also be passed in, see the Wiki for its usage.

Authorization

If you need to restrict certain Locations to a single provider and you want to skip the Discovery page for those locations, immediately redirecting the the appropriate Provider, see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#3-access-to-different-url-paths-on-a-per-provider-basis

Provide feedback

Saved searches

Use saved searches to filter your results more quickly