Support for multiple OAuth 2.0 Authorization Servers

[anthonynd]

Hi again,

Since the last issue I created, I've successfully integrated Microsoft and Google together as OpenID Providers for general login to my app. Now I would like to protect my app's REST API with OAuth 2.0. Individually, I've been able to implement remote and local validation of access tokens with Google and just local validation of Microsoft tokens. However, I cannot implement both Google and Microsoft together.

I'm wondering if there's some clever configuration I can do in my .conf file or if I'm only limited to one OAuth validator.

Here's an example setup that I've tried to give an idea of what I mean by messing with the .conf file.

SetEnvIf Provider "microsoft" op=microsoft
SetEnvIf Provider "google" op=google

<If "env('op') == 'microsoft'">
    OIDCOAuthVerifyJwksUri https://login.microsoftonline.com/common/discovery/v2.0/keys
</If>
<If "env('op') == 'google'">
    OIDCOAuthClientID ${client_id}
    OIDCOAuthClientSecret ${client_secret}
    OIDCOAuthIntrospectionEndpoint https://www.googleapis.com/oauth2/v1/tokeninfo
    OIDCOAuthIntrospectionTokenParamName access_token
</If>

<Location /REST/1.0>
    Authtype oauth20
    <If "env('op') == 'microsoft'">
        Require claim aud:${microsoft_client_id}
    </If>
    <If "env('op') == 'google'">
        Require claim issued_to:${client_id}
    </If>
</Location>

That config doesn't work because it seems I can't put the OIDCOAuth* directives in an If statement though.

I'm not very familiar with Apache configuration, so if there's some way of implementing it, I'd appreciate it greatly.

Thanks,
Anthony

[zandbelt]

It is not possible to configure multiple Authorization Servers simultaneously.

I would also argue that it is a-typical to have a resource that owned by 2 Resource Owners at the same time.

[anthonynd]

Alright, fair enough. In that case, I'll just stick to Google for validation.