Skip to content
OpenID Connect Relying Party implementation for Apache HTTP Server 2.x
C Other
  1. C 99.1%
  2. Other 0.9%
Branch: master
Clone or download

Latest commit

zandbelt Merge pull request #476 from bcingram/validate_issuer
Added OIDCValidateIssuer configuration setting to allow for Azure AD multi-tenant
Latest commit 3d2d697 May 13, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Create FUNDING.yml May 23, 2019
src refactored to pass NULL issuer into oidc_proto_validate_jwt rather th… May 12, 2020
test change copyright to 2020 Mar 24, 2020
.cproject eclipse mods Jun 6, 2019
.gitignore ignore cisual studio code folder Nov 26, 2019
.project commit Eclipse and Docker files Jun 5, 2019
.travis.yml release 2.3.0 Jun 13, 2017
AUTHORS refactored to pass NULL issuer into oidc_proto_validate_jwt rather th… May 12, 2020
ChangeLog refactored to pass NULL issuer into oidc_proto_validate_jwt rather th… May 12, 2020
Dockerfile fix configured private/public key cleanup on process exit Mar 24, 2020
Dockerfile-alpine modify build, clone remote in order to reduce image size Feb 3, 2020
INSTALL update organizational references Nov 15, 2017
LICENSE.txt initial import named mod_auth_openidc Mar 27, 2014
Makefile.in need pem files in distfile to run make test in package builds Dec 9, 2019
README.md Update README.md Mar 10, 2020
auth_openidc.conf added OIDCValidateIssuer [On|Off] with default "On" to support Azure … May 10, 2020
autogen.sh initial import named mod_auth_openidc Mar 27, 2014
configure.ac Allow configuring which header value is used to calculate the Apr 25, 2020
openidc.conf fix configured private/public key cleanup on process exit Mar 24, 2020

README.md

Build Status OpenID Certification Code Quality: Cpp Total Alerts

mod_auth_openidc

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider.

Overview

This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party (RP) to an OpenID Connect Provider (OP). It authenticates users against an OpenID Connect Provider, receives user identity information from the OP in a so called ID Token and passes on the identity information (a.k.a. claims) in the ID Token to applications hosted and protected by the Apache web server.

The protected content and/or applications can be served by the Apache server itself or it can be served from elsewhere when Apache is configured as a Reverse Proxy in front of the origin server(s).

By default the module sets the REMOTE_USER variable to the id_token [sub] claim, concatenated with the OP's Issuer identifier ([sub]@[iss]). Other id_token claims are passed in HTTP headers and/or environment variables together with those (optionally) obtained from the UserInfo endpoint.

It allows for authorization rules (based on standard Apache Require primitives) that can be matched against the set of claims provided in the id_token/ userinfo claims.

mod_auth_openidc supports the following specifications:

For an exhaustive description of all configuration options, see the file auth_openidc.conf in this directory. This file can also serve as an include file for httpd.conf.

Support

Give back to mod_auth_openidc

Please consider giving back by sponsoring mod_auth_openidc development/maintenance/continuity and to express your gratitude as a happy user or company.
See: https://www.patreon.com/mod_auth_openidc
Sponsored by: GLUU

Community Support

For generic questions, see the Wiki pages with Frequently Asked Questions at:
https://github.com/zmartzone/mod_auth_openidc/wiki
There is a Google Group/mailing list at:
mod_auth_openidc@googlegroups.com
The corresponding forum/archive is at:
https://groups.google.com/forum/#!forum/mod_auth_openidc
Any questions/issues should go to the mailing list.

Commercial Services

For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
sales@zmartzone.eu

How to Use It

OpenID Connect SSO with Google+ Sign-In

Sample configuration for using Google as your OpenID Connect Provider running on www.example.com and https://www.example.com/example/redirect_uri registered as the redirect_uri for the client through the Google API Console. You will also have to enable the Google+ API under APIs & auth in the Google API console.

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <your-client-id-administered-through-the-google-api-console>
OIDCClientSecret <your-client-secret-administered-through-the-google-api-console>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://www.example.com/example/redirect_uri
OIDCCryptoPassphrase <password>

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

Note if you want to securely restrict logins to a specific Google Apps domain you would not only add the hd=<your-domain> setting to the OIDCAuthRequestParams primitive for skipping the Google Account Chooser screen, but you must also ask for the email scope using OIDCScope and use a Require claim authorization setting in the Location primitive similar to:

OIDCScope "openid email"
Require claim hd:<your-domain>

The above is an authorization example of an exact match of a provided claim against a string value. For more authorization options see the Wiki page on Authorization.

Quickstart with a generic OpenID Connect Provider

  1. install and load mod_auth_openidc.so in your Apache server
  2. configure your protected content/locations with AuthType openid-connect
  3. set OIDCRedirectURI to a "vanity" URL within a location that is protected by mod_auth_openidc
  4. register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in OIDCClientID and OIDCClientSecret respectively
  5. and register the OIDCRedirectURI as the Redirect or Callback URI with your client at the Provider
  6. configure OIDCProviderMetadataURL so it points to the Discovery metadata of your OpenID Connect Provider served on the .well-known/openid-configuration endpoint
  7. configure a random password in OIDCCryptoPassphrase for session/state encryption purposes
LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCProviderMetadataURL <issuer>/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<hostname>/secure/redirect_uri
OIDCCryptoPassphrase <password>

<Location /secure>
   AuthType openid-connect
   Require valid-user
</Location>

For details on configuring multiple providers see the Wiki.

Quickstart for Other Providers

See the Wiki for configuration docs for other OpenID Connect Providers:

Disclaimer

This software is open sourced by ZmartZone IAM. For commercial services you can contact ZmartZone IAM as described above in the Support section.

You can’t perform that action at this time.