Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



36 Commits

Repository files navigation


Authentication module for Apache httpd with Scitoken.

The authentication process is carried out by an authentication provider and specified by /src/scitoken.c.

The module will check the request token against a list of issuers provided by the Apache configuration file.

There are built-in checks for issuers, expiration date, and algorithm(disabled by default)

This repo also includes the necessary configuration for an Apache webserver to provide WebDav access using SciTokens for authorization. With this configuration, you may provide authenticated access to write (PUT) or read (GET) on the webserver.

Build requirement



Install scitoken-cpp

Move scitokens-cpp/src/scitokens.h to your include directory

In /src, compile the module:

$ apxs -i -a -c scitoken.c -lSciTokens
$ cat /etc/apache2/mods-enabled/auth_scitokenX.load
LoadModule auth_scitokenX_module /usr/lib/apache2/modules/


Modify your Apache configuration file.

A minimal configuration might be:

<Location /demo>
          AuthType Scitoken
          AuthName "private area"
          Require Scitoken
          issuers "https://issuer1;/resource1"
          #Dav on

To Enable WebDav,

sudo a2enmod dav
sudo a2enmod dav_fs

This allows creating, moving, copying, and deleting resources and collections on a remote web server and provide access to resources located in the server's file system.

See /config for an example(Ubuntu 16.04.6 LTS)

In the example, the only issuer is "" and the protected directory is "/demo"

Restart Apache


curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1yczI1NiJ9.eyJzY3AiOiJyZWFkOi9kZW1vIiwiYXVkIjoiaHR0cDovL1Z0MjAuc2VjdXJpdHkubmNzYS5pbGxpbm9pcy5lZHUiLCJpc3MiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImV4cCI6MTU1Mzg4NTg4OCwiaWF0IjoxNTUzODg1Mjg4LCJuYmYiOjE1NTM4ODUyODgsImp0aSI6IjgyNGYzNDgxLWE5ZTAtNDZkZC04N2Q3LTAxZTBhZGVhN2Y5MyJ9.pQNp4MN1Bj38zCGwwGLlBBGh6BRUHmsw1Q54hjX-UwgJXQao7ftDo2YhmDNGNM-W2X9TU8S4XcNdrHXPSixapGVlDdtntgjWmY7EeCeAuVf9Tke7oTZsfdAKB-ye5t_dYjnAwrI-p5o6T4-GBKNcEg3_d4YqV61-BUGYqQJIEeCjoNrcbRUmwYY8O1Upp0A6S9EdpCAhHUS58onJDR2a2HIOJaSBo88UKxLWTofLUFn8P35Or_u2YZCHbp9nJ9JmTL1uVTHBd6vsWBsj8byOuZvfbOHll_vjOQ6DCc899R4Af1_ezA3no8ONGJJ3zAQSNRl2kIoLBBEp5MZw4r1--g" URL

Tokens generated by are set to expire in 10 mins. To make a 200 request:

1.Go to Set payload to protected area

2."scope": "read:/demo", "aud": "",

3.curl -H "Authorization: Bearer YOURTOKEN"