auth_openidc.conf

########################################################################################
#
# Common Settings
#
########################################################################################

# (Mandatory)
# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.
# You can use a relative URL like /protected/redirect_uri if you want to
# support multiple vhosts that belong to the same security domain in a dynamic way
#OIDCRedirectURI https://www.example.com/protected/redirect_uri

# (Mandatory)
# Set a password for crypto purposes, this is used for:
# - encryption of the (temporary) state cookie
# - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType
# Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password, e.g:
#    OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
# (notice that the above typically only works in non-clustered environments)
# The command may be absolute or relative to the web server root.
#
# A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase
# will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined),
# both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should
# (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again.
#OIDCCryptoPassphrase [ <passphrase> | "exec:/path/to/otherProgram arg1" ] [ <previous-passphrase> | "exec:/path/to/otherProgram arg2" ]

#
# All other entries below this are optional though some may be required in a
# particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party
#

# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client
# Registration and account-based OP Discovery.
# Specifies the directory that holds metadata files (must be writable for the Apache process/user).
# When not specified, it is assumed that we use a single statically configured provider as
# described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL.
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata

########################################################################################
#
# OpenID Connect Provider
#
# For configuration of a single static provider, not using OpenID Connect Provider Discovery.
#
########################################################################################

# URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration)
# The obtained metadata will be cached and refreshed every 24 hours.
# If set, individual entries below will not have to be configured but can be used to add
# extra entries/endpoints to settings obtained from the metadata.
# If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single
# static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs.
#OIDCProviderMetadataURL <url>

# OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderIssuer <issuer>

# OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderAuthorizationEndpoint <authorization_endpoint>

# OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS)
# i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set jwks_uri.
#OIDCProviderJwksUri <jwks_url>

# OpenID Connect Provider Signed JWKS URL (e.g. https://localhost:9031/pf/JWKS) followed by the verification key set
# formatted as either JWK or JWKS. The verification key set is used to verify the provided JWKs value.
# Specifying multiple keys allows the OP rotate the key used for signing the JWKs.
# I.e this is the URL on which the ID Token signing keys for this OP are hosted, in verifiable JWT formatting
# rather than relying on TLS for authentication and integrity protection.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set signed_jwks_uri.
# When defined it takes precedence over OIDCProviderJwksUri
# Examples:
#   OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}"
#   OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"keys\":[{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}]}"
# NB: for multi-OP setups:
#     the 1st parameter is not used, it needs to be set anyhow (e.g. to "") if you wish to used the 2nd parameter
#     the 2nd parameter is the default verification JWK for content pulled from the signed_jwks_uri for all providers and
#     and its can be overridden with a per-provider key in the <issuer>.conf file using the key: signed_jwks_uri_key
#OIDCProviderSignedJwksUri <jwks_url> [ <jwks> | <jwk> ]

# The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public
# keys that can be used for ID Token verification.
# NB: this is one or more key tuples where a key tuple consists of:
#  ["sig:"|"enc:"][<key-identifier>#]<path-to-cert>
# and the key identifier part is required when the ID Token contains a "kid" in its header.
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL
#OIDCProviderVerifyCertFiles (["sig:"|"enc:"][<kid>#]<filename>)+

# OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderTokenEndpoint <token_endpoint>

# Authentication method for the OpenID Connect Provider Token Endpoint.
# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set before this directive is applied.
# When not defined the default method from the specification is used, i.e. "client_secret_basic".
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
# NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth
#OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ]

# Extra parameters that need to be passed in the POST request to the Token Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params
#OIDCProviderTokenEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]* 

# OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid)
# When not defined no claims will be resolved from such endpoint.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderUserInfoEndpoint <user_info_endpoint>

# OpenID OP Check Session iFrame URL, for Session Management purposes.
# When not defined, no Session Management will be applied.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderCheckSessionIFrame <url>

# OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes.
# When not defined, no logout to the OP will be performed.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderEndSessionEndpoint <url>

# Extra parameters that will be sent along with the Logout Request.
# These must be URL-query-encoded as in: "client_id=myclient&prompt=none".
# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params
#OIDCLogoutRequestParams <query-encoded-string>

# The RFC 7009 Token Revocation Endpoint URL.
# When defined, the refresh token and access token stored in an OIDC session will be revoked on logout.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderRevocationEndpoint <url>

# The RFC 9126 Pushed Authorization Request endpoint URL.
# When not defined, PAR cannot be used to send authentication requests, see also OIDCProviderAuthRequestMethod 
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderPushedAuthorizationRequestEndpoint <url>

# Define whether the OP supports OpenID Connect Back Channel Logout.
# According to: https://openid.net/specs/openid-connect-backchannel-1_0.html
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderBackChannelLogoutSupported [On|Off]

# Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint.
# This settings serves as a default value for multiple OPs only.
# Parameter names and values need to be provided in JSON form and will be merged in to the request.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_json
#OIDCProviderRegistrationEndpointJson <json-string>

# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
# When not defined, the bare minimal scope "openid" is used.
# NB: multiple scope values must be enclosed in a single pair of double quotes 
# NB: this can be overridden on a per-OP basis in the .conf file using the key: scope
#OIDCScope "<scope(s)-separated-by-spaces-and-enclosed-in-double-quotes>"

# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent" or
# specific for Google's implementation: "approval_prompt=force".
# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
# As an alternative to this option, one may choose to add the parameters as
# part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint"
# in the .provider metadata (though that would not work with Discovery OPs).
#
# One can pass on query parameters from the request to the authorization request by adding
# e.g. "foo=#" which which will dynamically pull in the query parameter value from the
# request query parameter and add it to the authentication request to the OP.
#
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params
#OIDCAuthRequestParams <query-encoded-string>

# Require a valid SSL server certificate when communicating with the OP.
# (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint)
# When not defined, the default value is "On".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server
#OIDCSSLValidateServer [On|Off]

# Sets the path to the CA bundle to be used by cURL
# When not defined, the default bundle for libcurl is used as provided by the platform.
#OIDCCABundlePath <path>

# Require configured issuer to match the issuer returned in id_token.
# (Disable to support Azure AD multi-tenant applications.)
# When not defined, the default value is "On".
#OIDCValidateIssuer [On|Off]

# The refresh interval in seconds for the claims obtained from the userinfo endpoint
# When not defined the claims are retrieved only once, at session creation time.
# If refreshing fails, it is assumed that the access token is expired and an attempt will be made
# to refresh the access token using the refresh token grant, after which a second attempt is made
# to obtain claims from the userinfo endpoint with the new access token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval
# The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails.
# The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails.
#OIDCUserInfoRefreshInterval <seconds> [ logout_on_error | authenticate_on_error | 502_on_error ]

# The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri.
# When not defined the default is 3600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval
# NB: this refresh interval is shared with OIDCOAuthVerifyJwksUri
#OIDCJWKSRefreshInterval <seconds>

# Defines the way in which the access token will be presented to the userinfo endpoint
# "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET
# "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST
# When not defined the default is "authz_header".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method
#OIDCUserInfoTokenMethod [authz_header|post_param]

# Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint.
# "GET" means that the parameters will be passed as query parameters in an HTTP GET
# "POST" means that the parameters will be passed as form-post parameters in an HTTP POST
# "PAR" means that parameters will be sent to the Pushed Authorization Endpoint
# When not defined the default is "GET".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method
# OIDCProviderAuthRequestMethod [ GET | POST | PAR ]

# The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates
# that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP.
# One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles.
# When not defined no encryption will be requested.
# You can also prefix <filename> with a JWK key identifier to manually override the automatically
# generated "kid" that will be used for this key in the JWKs derived from this certificate and
# published at OIDCClientJwksUri.
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign)
#OIDCPublicKeyFiles (["sig:"|"enc:"][<kid>#]<filename>)+

# The fully qualified names of the files that contain the PEM-formatted RSA/EC private
# keys that can be used to decrypt content sent to us by the OP.
# These keys must correspond to the public keys defined in OIDCPublicKeyFiles.
# When not defined no decryption will be possible.
# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc)
#OIDCPrivateKeyFiles (["sig:"|"enc:"][<kid>#]<filename>)+

########################################################################################
#
# OpenID Connect Client
#
# Settings used by the client in communication with the OpenID Connect Provider(s),
# i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access.
# These settings are used when a single static provider is configured and serve as defaults
# when multiple providers are configured.
#
########################################################################################

# The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too)
# When not defined the "code" response type is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type
#OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"]

# The response mode used (this serves as default value for discovered OPs too)
# When not defined the default response mode for the requested flow (OIDCResponseType) is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode
#OIDCResponseMode [fragment|query|form_post]

# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client identifier used in calls to the statically configured OpenID Connect Provider.
#OIDCClientID <client_id>

# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client secret used in calls to the statically configured OpenID Connect Provider.
# (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token")
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the
# secret. The command may be absolute or relative to the web server root.
#OIDCClientSecret [ <client_secret> | "exec:/path/to/otherProgram argument1" ]

# Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the
# token endpoint of the OAuth 2.0 Authorization server.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert
#OIDCClientTokenEndpointCert <filename>

# Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the
# Client in calls to the token endpoint of the OAuth 2.0 Authorization server.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key
#OIDCClientTokenEndpointKey <filename>

# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the
# Client in calls to the token endpoint of the OAuth 2.0 Authorization server.
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password.
# The command may be absolute or relative to the web server root.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd
#OIDCClientTokenEndpointKeyPassword [ <passphrase> | "exec:/path/to/otherProgram arg1" ]

# The client name that the client registers in dynamic registration with the OP.
# When not defined, no client name will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name
#OIDCClientName <client_name>

# The contacts that the client registers in dynamic registration with the OP.
# Must be formatted as e-mail addresses by specification.
# Single value only; when not defined, no contact e-mail address will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact
#OIDCClientContact <contact>

# The PKCE method used (this serves as default value for multi-provider OPs too)
# When not defined S256 is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method
#OIDCPKCEMethod [ S256 | plain | |none ]

# The DPoP mode used (this serves as default value for multi-provider OPs too)
#  off: no DPoP token is requested from the OP
#  optional: a DPoP token is requested from the OP but we'll continue even if the returned token is Bearer
#  required: a DPoP token is requested from the OP and we'll fail if the returned token type is not DPoP
# When not defined "off" is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: dpop_mode
# The 2nd parameter is used to optionally enable an API for creating DPoP proofs on:
#   <redirect_uri>?dpop=<access_token>&url=<url>[&method=<method][&nonce=<nonce>]
# When not defined "off" is used.
#OIDCDPoPMode [off|optional|required] [on|off]

# (used only in dynamic client registration)
# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be
# used during client registration to point to the JWK set with public keys for this client.
# If not defined the default <redirect_uri>?jwks=rsa will be used, on which a JWK set
# is automatically published based on the OIDCPublicKeyFiles setting so normally you don't
# need to touch this unless this client is on a (test) host that is not reachable from the internet.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri
#OIDCClientJwksUri <url>

# The algorithm that the OP should use to sign the id_token.
# When not defined the default that the OP should use by spec is RS256.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg
#OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]

# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token.
# When not defined the default (by spec) is that the OP does not encrypt the id_token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg
#OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]

# The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key.
# If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided.
# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc
#OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM]

# The algorithm that the OP should use to sign the UserInfo response
# When not defined the default (by spec) is that the OP does not sign the response.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg
#OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]

# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response.
# When not defined the default (by spec) is that the OP does not encrypt the response.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg
#OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]

# The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key
# If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided.
# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc
#OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM]

########################################################################################
#
# WARNING:
#
# THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED
# BY A SEPARATE MODULE, SEE: https://github.com/OpenIDC/mod_oauth2
#
# OAuth 2.0 Resource Server Settings
#
# Used when this module functions as a Resource Server against an OAuth 2.0 Authorization
# Server, introspecting/validating bearer Access Tokens.
#
########################################################################################

# URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server)
# as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours.
# If set, individual entries below will not have to be configured but can be used to add
# extra entries/endpoints to settings obtained from the metadata.
# If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured.
#OIDCOAuthServerMetadataURL <url>

# (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation)
# OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2)
#OIDCOAuthIntrospectionEndpoint <token-introspection-endpoint>

# Client identifier used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientID <client_id>

# Client secret used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientSecret <client_secret>

# Authentication method for the OAuth 2.0 Authorization Server introspection endpoint,
# Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret
# when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post"
# has been configured.
# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set.
# When not defined "client_secret_basic" is used.
#OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ]

# Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured.
# Specifies a static token to be used for authorizing the call to the introspection endpoint.
# If empty, the introspected token will be used for authorization as well.
#OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ]

# Filename that contains the PEM-formatted client certificate used to authenticate the
# caller in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthIntrospectionEndpointCert <filename>

# Filename that contains the PEM-formatted private key that belongs to the client certificate used
# to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthIntrospectionEndpointKey <filename>

# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the
# Client in calls to the token introspection endpoint of the OAuth 2.0 Authorization server.
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password.
# The command may be absolute or relative to the web server root.
#OIDCOAuthIntrospectionEndpointKeyPassword [ <passphrase> | "exec:/path/to/otherProgram arg1" ]

# Define the HTTP method to use for the introspection call. Must be GET or POST.
# When not defined the default is POST.
#OIDCOAuthIntrospectionEndpointMethod [POST|GET]

# Extra parameters that need to be passed in the POST request to the Introspection Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
#OIDCOAuthIntrospectionEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]* 

# Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint.
# When not defined the default "token" is used.
#OIDCOAuthIntrospectionTokenParamName <param_name>

# Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since
# 1970), relative (seconds from now after which the token will expire), and whether it is optional.
# If the claim is optional and not found in the response, the introspection result will not be cached.
# (which means that the overall performance may suffer)
#
# Only applies when the "active" claim is not found in the introspection response, which is interpreted as
# an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom.
#
# When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching
# Google and PingFederate's introspection behavior.
#OIDCOAuthTokenExpiryClaim <claim-name> [absolute|relative] [mandatory|optional]

# Define the interval in seconds after which a cached and introspected access token needs
# to be refreshed by introspecting (and validating) it again against the Authorization Server.
# (can be configured on a per-path basis)
# When not defined the value is 0, which means it only expires after the `exp` (or alternative,
# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server.
# When set to -1, caching of the introspection results is disabled and the token will be introspected
# on each request presenting it.
#OIDCOAuthTokenIntrospectionInterval <seconds>

# Require a valid SSL server certificate when communicating with the Authorization Server
# on the token introspection endpoint. When not defined, the default value is "On".
#OIDCOAuthSSLValidateServer [On|Off]

# The symmetric shared key(s) that can be used for local JWT access token validation.
# NB: this is one or more key tuples where a key tuple consists of:
#  ["sig:"|"enc:"]plain|b64|hex#[<key-identifier>]#<key>
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# When not defined, no access token validation with shared keys will be performed.
# Examples:
# - a plaintext secret and a key identifier (kid)
#     plain#1#mysecret
# - a base64 encoded secret, no key identifier provided
#     b64##AF515DE==
# - a hex encoded secret, no key identifier provided
#     hex##ede012
#OIDCOAuthVerifySharedKeys (["sig:"|"enc:"]plain|b64|hex#[<kid>#]<key>)+

# The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public
# keys that can be used for local JWT access token verification.
# NB: this is one or more key tuples where a key tuple consists of:
#  ["sig:"|"enc:"][<key-identifier>#]<path-to-cert>
# and the key identifier part is required when the JWT access token contains a "kid" in its header.
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# When not defined, no access token validation with statically configured certificates will be performed.
#OIDCOAuthVerifyCertFiles (["sig:"|"enc:"][<kid>#]<filename>)+

# The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
# When not defined local validation of JWTs can still be done using statically configured keys,
# by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys.
#OIDCOAuthVerifyJwksUri <jwks_url>

# The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths.
# When not defined the default "sub" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# claim value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#
# An optional 3rd parameter can be added that would contain string with number backrefrences.
# Backrefrences must be in the form $1, $2.. etc.
# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use
#   ^(.*)@([^.]+)\..+$ $2\\$1
#OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>] [substitution-string]

# Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server.
# Must be one or several of:
# "header" : an "Authorization: bearer" header
# "post" :   an HTTP Post parameter called "access_token"
# "query" :  as an HTTP query parameter called "access_token"
# "cookie" : as a cookie header called "PA.global" or using the name specified after ":"
# "basic":   as a HTTP Basic Auth (RFC2617, section 2) password, with any username
# When not defined the default "header" is used.
#OIDCOAuthAcceptTokenAs [header|post|query|cookie[:<cookie-name>|basic]+

########################################################################################
#
# Cookie Settings
#
########################################################################################

# Define the cookie path for the "state" and "session" cookies.
# When not defined the default is a server-wide "/".
#OIDCCookiePath <cookie-path>

# Specify the domain for which the "state" and "session" cookies will be set.
# This must match the OIDCRedirectURI and the URL on which you host your protected
# application. Use the literal value of the domain name that will end up in the "Domain"
# attribute value for the Set-Cookie header, no leading dot required.
# Example domain- (instead of default host-)wide cookie:
#   OIDCCookieDomain example.org
# When not defined the default is the server hostname that is currently accessed.
#OIDCCookieDomain <cookie-domain>

# Define the cookie name for the session cookie.
# When not defined the default is "mod_auth_openidc_session".
#OIDCCookie <cookie-name>

# OpenID Connect session cookie chunk size.
# When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session
# data needs to be stored, typically the size depends on the "scopes" of information you request. To work
# around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split
# over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, 
# If you want to prevent splitting the session cookie regardless of its size, set the value to 0.
# When not defined the default chunk size is 4000 bytes
#OIDCSessionCookieChunkSize <bytes>

# Defines whether the HttpOnly flag will be set on cookies.
# When not defined the default is On.
#OIDCCookieHTTPOnly [On|Off]

# Defines whether the SameSite flag will be set on cookies.
# When On the following will apply:
#   state cookie: Lax
#   session cookie: Lax
#   x_csrf discovery: Strict:
#
# The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be 
# conditionally overridden using an environment variable in the Apache config as in:
#   SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
#
# When not defined the default is On.
#OIDCCookieSameSite [On|Off]

# Specify the names of cookies to pickup from the browser and send along on backchannel
# calls to the OP and AS endpoints. This can be used for load-balancing purposes.
# When not defined, no such cookies are sent.
#OIDCPassCookies [<cookie-name>]+

# Specify the names of cookies to strip from the incoming request so they are not passed
# on to the target application(s). This may prevent a large set of chunked session cookies to
# be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting):
#   mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 
# When not defined, no cookies are stripped.
#OIDCStripCookies [<cookie-name>]+

# Specify the maximum number of state cookies i.e. the maximum number of parallel outstanding
# authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331
# Setting this to 0 means unlimited, until the browser or server gives up which is the
# behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. 
#
# The optional second boolean parameter if the oldest state cookie(s) will be deleted, 
# even if still valid; see #399.
#
# When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted.
#OIDCStateMaxNumberOfCookies <number> [false|true]

# Define the cookie prefix for the state cookie.
# When not defined the default is "mod_auth_openidc_state_".
#OIDCStateCookiePrefix <cookie-prefix>

########################################################################################
#
# Session Settings (only relevant in an OpenID Connect Relying Party setup)
#
########################################################################################

# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
#OIDCSessionInactivityTimeout <seconds>

# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
#OIDCSessionMaxDuration <seconds>

# OpenID Connect session storage type.
# "server-cache" server-side caching storage.
# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next
# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts
# instead of a session cookie that is tied to the lifetime of the browser session.
# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting.
# A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored
# in the session to be used as id_token_hint in a logout request to the OP later.
# When not defined the default "server-cache" is used.
#OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ]

# Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary
# cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of:
#   a) performance
#       1) since on each subsequent request the primary cache will still be polled and
#           failback will happen as soon as the primary cache is available again
#       2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType
#   b) security, since nonce's and jti's are not cached, see: OIDCCacheType
#   c) (prototype) functionality, since request_uri's won't work anymore
# When not defined the default is "Off".
#OIDCSessionCacheFallbackToCookie [On|Off]

########################################################################################
#
# Cache Settings
#
########################################################################################

# Cache type, used for temporary storage that is shared across Apache processes/servers for:
#  - authenticated user session state
#  - nonce values from authorization requests (to prevent replay attacks)
#  - validated OAuth 2.0 access tokens
#  - refresh tokens during their usage in a refresh token request i.e. refreshing an access token and possible the refresh token itself
#  - JWK sets that have been retrieved from jwk_uri's (to validate id_token, logout_token, JWT access_token and JWT userinfo response)
#  - resolved OP metadata when using OIDCProviderMetadataUrl and/or OIDCOAuthServerMetadataURL
#  - jti values from logout_token when receiving Backchannel Logout requests
#  - temporary state associated with Request URI's
#  - signed JWTs when using OIDCPassUserInfoAs signed_jwt and environment variable OIDC_USERINFO_SIGNED_JWT_CACHE_TTL
#  -  JQ filter results when using OIDCFilterClaimsExpr and/or OIDCUserInfoClaimsExpr and/or Require claims_expr
# must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\" 
# When not defined, "shm" (shared memory) is used.
#OIDCCacheType [shm|memcache|file[|redis]]

# Indicate whether data in the cache backend should be encrypted.
# When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends
#OIDCCacheEncrypt [On|Off]

# When using OIDCCacheType "shm":
# Specifies the maximum number of name/value pair entries that can be cached.
# When caching a large number of entries the cache size limit may be reached and the
# least recently used entry will be overwritten. If this happens within 1 hour, 
# errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased.
# When not specified, a default of 10000 entries is used.
# OIDCCacheShmMax <number>

# When using OIDCCacheType "shm":
# Specifies the maximum size for a single cache entry in bytes with a minimum of 8736 bytes.
# The value must a multiple of 8 bytes.
# When caching large values such as numbers of attributes in a session or large metadata documents the 
# entry size limit may be overrun, in which case errors will be displayed in the error.log
# and the OIDCCacheShmEntrySizeMax value has to be increased.
# When not specified, a default entry size of 16928 bytes (16384 value + 512 key + 32 overhead) is used.
# OIDCCacheShmEntrySizeMax <bytes>

# When using OIDCCacheType "file":
# Directory that holds cache files; must be writable for the Apache process/user.
# When not specified a system defined temporary directory (/tmp) will be used.
#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache

# When using OIDCCacheType "file":
# Cache file clean interval in seconds (only triggered on writes).
# When not specified a default of 60 seconds is used.
# OIDCCacheFileCleanInterval <seconds>

# Required when using OIDCCacheType "memcache":
# Specifies the memcache servers used for caching as a space separated list of <hostname>[:<port>] tuples.
#OIDCMemCacheServers "(<hostname>[:<port>])+"

# Minimum number of connections to each Memcache server per process. Defaults to
# OIDCMemCacheConnectionsHMax.
#OIDCMemCacheConnectionsMin <number>

# All connections above this limit will be closed if they have been idle for
# more than OIDCMemCacheConnectionsTTL. Defaults to OIDCMemCacheConnectionsHMax.
#OIDCMemCacheConnectionsSMax <number>

# Maximum number of connections to each Memcache server per process. Defaults to
# ThreadsPerChild or if mod_http2 is loaded to ThreadsPerChild - 1 + H2MaxWorkers.
#OIDCMemCacheConnectionsHMax <number>

# Maximum time in seconds a connection to a Memcache server can be idle before
# being closed. Defaults to 60 seconds.
# Only for Apache >= 2.4.x: By adding a postfix of ms, the timeout can be also
# set in milliseconds. Defaults to 60 seconds.
#OIDCMemCacheConnectionsTTL <seconds>

# Required if Redis support is compiled in and when using OIDCCacheType "redis":
# Specifies the Redis server used for caching as a <hostname>[:<port>] tuple.
#OIDCRedisCacheServer <hostname>[:<port>]

# Password to be used if the Redis server requires authentication: http://redis.io/commands/auth
# When not specified, no authentication is performed.
#OIDCRedisCachePassword <password>

# Username to be used if the Redis server requires authentication: http://redis.io/commands/auth
# NB: this can only used with Redis 6 (ACLs) or later
# When not specified, the implicit user "default" is used
#OIDCRedisCacheUsername <username>

# Logical database to select on the Redis server: https://redis.io/commands/select
# When not defined the default database 0 is used.
#OIDCRedisCacheDatabase <number>

# Timeout (in seconds) for connecting to the Redis servers.
# An optional 2nd parameter can be supplied to set the keepalive interval (in seconds) on the
# TCP connection to the Redis server. 0 disables keepalive.
# NB: the interval setting only works when compiled and running with hiredis >= 1.2.0
#     when compiled and running with hiredis < 1.2.0 any value > 0 will apply the default interval 
# When not defined the default connect timeout is 5 seconds and the default hiredis keepalive (15s) is applied.
#OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]

# Timeout waiting for a response of the Redis servers after a request was sent.
# When not defined the default timeout is 5 seconds.
#OIDCRedisCacheTimeout <seconds>

########################################################################################
#
# Advanced Settings
#
########################################################################################

# Defines an external OP Discovery page. That page will be called with:
#    <discovery-url>?oidc_callback=<callback-url>
# additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`.
#
# An Issuer selection can be passed back to the callback URL as in:
#    <callback-url>?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=<login-hint>][&scopes=<scopes>][&auth_request_params=<params>]
# where the <iss> parameter contains the URL-encoded issuer value of
# the selected Provider, or a URL-encoded account name for OpenID
# Connect Discovery purposes (aka. e-mail style identifier), or a domain name.
# [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=<url>&x_csrf=<x_csrf>&method=<method>&scopes=<scopes>)
#
# When not defined the bare-bones internal OP Discovery page is used.
#OIDCDiscoverURL <discovery-url>

# Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri
# has been provided. The user is also redirected to this URL in case an invalid authorization
# response was received.
# The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user.
#OIDCDefaultURL <relative-or-absolute-url>

# Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout.
# When not defined and no URL was passed explicitly, a default internal page will be shown.
#OIDCDefaultLoggedOutURL <relative-or-absolute-url>

# Define the OpenID Connect scope(s) that is requested from the OP (eg. "admin edit")
# on a per-path basis in addition to the per-provider configured scopes (OIDCScope).
# Multiple scope values must be enclosed in a single pair of double quotes.
# Apache expressions can be used to pass dynamic runtime determined values.
# The default is to not add extra scopes.
#OIDCPathScope "<scope(s)-separated-by-spaces-and-enclosed-in-double-quotes>"

# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent".
# This can be configured on a per-path basis across all configured Providers.
# One can pass on query parameters from the request to the authorization request by adding
# e.g. "foo=#" which which will dynamically pull in the query parameter value from the
# request query parameter and add it to the authentication request to the OP.
# Apache expressions can be used to pass dynamic runtime determined values.
# The default is to not add extra parameters.
#OIDCPathAuthRequestParams <query-encoded-string>

# Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token.
# When not defined the default is 600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack
#OIDCIDTokenIatSlack <seconds>

# The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup.
# When not defined, the default "OIDC_CLAIM_" is used.
#OIDCClaimPrefix <prefix>

# The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# When not defined the default "," is used.
#OIDCClaimDelimiter <char>

# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
# If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the
# \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs.
# When not defined the default "sub@" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# resulting value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#
# An optional 3rd parameter can be added that would contain string with number backrefrences.
# Backrefrences must be in the form $1, $2.. etc.
# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use
#  ^(.*)@([^.]+)\..+$ $2\\$1
#OIDCRemoteUserClaim <claim-name>[@] [<regular-expression>] [substitution-string]

# Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs.
# Must be one or several of:
# "claims" :     the claims in the id_token are passed in individual headers/environment variables
# "payload" :    the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable
# "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable
# Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly
# configured to do so) and as such the header for the "serialized" option will not be set.
# Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. 
#OIDCPassIDTokenAs [claims|payload|serialized]+

# Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs.
# Must be one or several of:
# "claims" :
#    the userinfo claims are passed in individual headers/environment variables
# "json[:<name]" :
#    a self-contained userinfo JSON object is passed in the "OIDC_userinfo_json" or <name> header/environment variable
# "jwt[:<name]" :
#    the signed/encrypted JWT (if available!) resolved from the userinfo endpoint is passed in the
#    "OIDC_userinfo_jwt" or <name> header/environment variable
# "signed_jwt[:<name]" :
#    the userinfo claims are passed in a JWT signed by mod_auth_openidc
#    in the "OIDC_signed_jwt" or <name> header/environment variable
#    - requires OIDCPrivateKeyFiles/OIDCPublicKeyFiles set with a RSA key (RS256) or a prime256v1 Elliptic Curve key(s) (ES256),
#      the first RSA/EC signing key in the configured list will be used
#    - the "expires_in" hint from the access_token is used in the "exp" claim; defaults to 60 seconds if not returned by the OP.
#    - caching of the signed JWT - use with care only - can be configured using:
#        SetEnvIfExpr true OIDC_USERINFO_SIGNED_JWT_CACHE_TTL=<seconds>
#      or for the duration of the - possibly processed - "exp" claim when set to "0"
# Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. 
#OIDCPassUserInfoAs [claims|json[:<name>]|jwt[:<name>]|signed_jwt[:<name>]]+

# Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: process the claims
# returned from the userinfo endpoint with a JQ-based expression before propagating them according
# to OIDCPassUserInfoAs claims|json|signed_jwt (ie. does not work for "OIDCPassUserInfoAs jwt")
#
# Overwrite the default (provider) "iss" claim, and delete the default "aud" and "name" claims:
#     '. + { iss: "https://myissuer.com" } | del(.aud, .name)'
# Add new claim with a variable value obtained from an Apache expression https://httpd.apache.org/docs/2.4/expr.html:
# (be aware that when used with "OIDCPassUserInfoAs signed_jwt" it results in a cached JWT per-user/per-path)
#     '. + { path: "%{REQUEST_URI}" }'
# Keep sub only:
#      '{ sub: .sub }'
# Filter out all elements in the "groups" array of strings that contain "DC=Company" :
#      '. + { groups: (.groups - (.groups | map(select(contains("DC=Company"))))) }'
# Filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* :
#      '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }'
# Can be configured on a per Directory/Location basis. When not defined no processing will be applied.
#OIDCUserInfoClaimsExpr <jq-filter>

# Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: applies
# a JQ filter to claims in the both the id_token and claims returned from the userinfo endpoint
# before storing them in the session after applying (optional) toplevel blacklisting/whitelisting
# with OIDCBlackListedClaims/OIDCWhiteListedClaims, e.g.:
# filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.*
#      '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }'
# whitelist only "name" and "sub" claims:
#   '{name, sub}'
# delete "groups", "exp" and "iat"
#   'del(.groups,.exp,.iat)'
# When not defined no processing will be applied and all claims will be stored in the session.
#OIDCFilterClaimsExpr <jq-filter>

# Define the way in which the (processed) claims and tokens are passed to the application environment:
# "none": no claims/tokens are passed
# "environment": claims/tokens are passed as environment variables
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
#
# A second parameter can be specified that defines the encodong applied to all values passed in headers
# and environment variables:
#   "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character.
#   "base64url" applies base64url encoding
#   "none" applies no encoding and copies literal values from the claims into the headers/environment variables
# When not defined the default is "both" and "latin1" encoding is applied to the header/environment values.
#
# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
#OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none]

# Specify the HTTP header variable name to set with the name of the authenticated user,
# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim.
# When not defined no such header is added.
# This setting can be configured for both the "openid-connect" and "oauth20" AuthType on
# a server-wide or directory level.
#OIDCAuthNHeader <header-name>

# Timeout in seconds for long duration HTTP calls. This defines the maximum duration that a request make take to
# to complete and is used for most requests to remote endpoints/servers.
# The optional <connect-timeout> parameter specifies the connect timeout in seconds, as part of the overall request timeout.
# The optional <retries> parameter specifies the number of retry attempts in case of connectivity errors.
# When not defined the default of 30 seconds is used, with a 10 second connect timeout, using 1 retry after
# an interval of 500ms.
#OIDCHTTPTimeoutLong <seconds> [<connect-timeout>] [<retries>[:<retry-interval-ms>]]

# Timeout in seconds for short duration HTTP calls. This defines the maximum duration that a request may take to
# to complete and is used for Client Registration and OP Discovery requests.
# The optional <connect-timeout> parameter specifies the connect timeout in seconds, as part of the overall request timeout.
# The optional <retries> parameter specifies the number of retry attempts in case of connectivity errors.
# When not defined the default of 5 seconds is used, with a 2 second connect timeout, using 1 retry with
# an interval of 500ms.
#OIDCHTTPTimeoutShort  <seconds> [<connect-timeout>] [<retries>[:<retry-interval-ms>]]

# Time to live in seconds for state parameter i.e. the interval in which the authorization request
# and the corresponding response need to be processed. When not defined the default of 300 seconds is used.
#OIDCStateTimeout <seconds>

# Specify an outgoing proxy for your network. When running on a platform with a recent version of
# libcurl you can also specify the network protocol, see: https://curl.se/libcurl/c/CURLOPT_PROXY.html
# When not defined no outgoing proxy is used.
#OIDCOutgoingProxy [<scheme>://]<host>[:<port>] [<username>:<password>] [basic|digest|negotiate|ntlm|any]

# Defines the action to be taken when an unauthenticated request is made.
#
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "407" means that HTTP 407 Proxy Authentication Required is returned
# "410" means that HTTP 410 Gone is returned
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
#
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
#
# When not defined the default is "auth" with auto-detection of requests that woult not be able to complete
# an authentication round trip to the OpenID Connect Provider, which would receive a 401.
# The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, or
# the presence of a Sec-Fetch-Mode header with a value that is not equal to "navigate", or the presence of
# a Sec-Fetch-Dest header with a value that is not equal to "document" or the absence of
# an "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*"
# and returns 401 for such non-auth-capable requests, e.g. XML HTTP Requests, image loading requests etc.
# that would create a state cookie but never return to delete it.
# See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#tldr
# 
# Only for Apache >= 2.4.x:
# Since verson 2.4.4 a boolean Apache expression as the second parameter to specify which requests
# need to match to return the configured value in the first parameter to override the default "auth".
# See also: https://httpd.apache.org/docs/2.4/expr.html.
# E.g to only return 401 for cURL based user agents and "auth" for any other browsers/user agents:
#   OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/"
# to effectively override the default XML request detection algorithm by ignoring the Sec-Fetch-Mode,
# Sec-Fetch-Dest and Accept headers:
#   OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'"
# to return 401 for all user agents that do not send an Accept header that includes a "text/html" value:
#   OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#"
# or as a more complex example, which equals the default XML request detection algorithm:
#   OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
#                     || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \
#                     || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' ) \
#                     || (    ( %{HTTP_ACCEPT} !~ m#text/html# ) \
#                          && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \
#                          && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )"
# To enable authentication in an iframe you need to change the Sec-Fetch-Dest part above in:
#                     || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \
# To disable auto-detection of XML HTTP request altogether and uncondtionally return "auth" for all clients:
#   OIDCUnAuthAction auth true
# Note that actually *any* expression value in "OIDCUnAuthAction auth <expr>" will *always* render "auth"
# (even when set to "false"...) because of the default, so using an <expr> value (other than "true") only
# makes sense in combination with one of the values other than "auth".
#OIDCUnAuthAction [auth|pass|401|407|410] [<expression-to-detect-non-auth-request>]

# Defines the action to be taken when an unauthorized request is made i.e. the user is authenticated but
# does not meet the `Require claim <>` directives or similar.
# "401" return HTTP 401 Unauthorized with optional text message if specified in <argument>
# "403" return HTTP 403 Forbidden with optional text message; NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive!
# "302" redirect to the URL specified in the <argument> parameter
# "auth" redirect the user to the OpenID Connect Provider or Discovery page for authentication (<argument> is unused)
# Useful in Location/Directory/Proxy path contexts that need to do stepup authentication
# Be aware that this will only work in combination with a single Require statement or RequireAll,
# so using RequireAny and multiple Require statements is not supported.
# Also for "auth", the expression argument for OIDCUnAuthAction is re-used here to detect XHR requests.
# When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on"
#OIDCUnAutzAction [401|403|302|auth] [<argument>]

# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
# This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
# It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data.
# Preservation is done via HTML 5 session storage: note that this can lead to private data exposure on shared terminals.
# The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis.
#OIDCPreservePost [On|Off]

# POST preserve and restore templates to be used with OIDCPreservePost
# <preserve> template needs to contain two "%s" characters
#            the first for the JSON formattted POST data, the second for the URL to redirect to after preserving
# <restore>  template needs to contain one "%s"
#            which contains the (original) URL to POST the restored data to
# The default is to use internal templates
#OIDCPreservePostTemplates <preserve-template-filepath> <restore-template-filepath>

# Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according
# to the OIDCPassClaimsAs directive.
# Can be configured on a per Directory/Location basis. The default is "On".
#OIDCPassAccessToken [On|Off]
#
# Indicates whether the refresh token will be passed to the application in a header/environment variable, according
# to the OIDCPassClaimsAs directive.
# Can be configured on a per Directory/Location basis. The default is "Off". 
#OIDCPassRefreshToken [On|Off]

# Request Object/URI settings expressed as a string that is a "double-quote-escaped" JSON object. For example:
# "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.openidc.com/protected/\", \"request_object_type\" : \"request\" }"
# Parameters:
#   copy_from_request (array)            : array of query parameter names copied from request
#   copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter
#   static (object)                      : parameter value is merged to the request object
#   ttl (number)                         : number of seconds before the request object expires (default is 30 seconds)
#                                          translates to the `exp` claim in the request object
#   crypto (object)                      : defines cryptography used to create request object
#     sign_alg (string)                  : algorithm used to sign request object (JWS alg parameter)
#     crypt_alg (string)                 : algorithm used to encrypt CEK of request object (JWE alg parameter)
#     crypt_enc (string)                 : algorithm used to encrypt request object (JWE enc parameter)
#   url (string)                         : use this url instead of redirect_uri for request_uri
#   request_object_type (string)         : parameter used for sending authorization request object
#                                          "request_uri" (default) or "request"
# NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object
#OIDCRequestObject <stringified-and-double-quote-escaped-JSON-object>

# Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir).
# When not defined the default is 0 seconds, i.e. it is never refreshed.
# Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day.
#OIDCProviderMetadataRefreshInterval <seconds>

# Define the data that will be returned upon calling the info hook.
# The data can be JSON formatted using <redirect_uri>?info=json, or HTML formatted, using <redirect_uri>?info=html.
#   iat (int)                  : Unix timestamp indicating when this data was created
#   access_token (string)      : the access token
#   access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP)
#   id_token (object)          : the claims presented in the ID token
#   id_token_hint (string)     : the serialized ID token
#   userinfo (object)          : the claims resolved from the UserInfo endpoint
#   refresh_token (string)     : the refresh token (if returned by the OP)
#   exp (int)                  : the maximum session lifetime (Unix timestamp in seconds)
#   timeout (int)              : the session inactivity timeout (Unix timestamp in seconds)
#   remote_user (string)       : the remote user name
#   session (object)           : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object
# Note that when using ProxyPass / you may have to add a proxy exception for the Redirect URI 
# for this to work, e.g. ProxyPass /redirect_uri !
# When not defined the session hook will not return any data but a HTTP 404
#OIDCInfoHook [iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session]+

# Specify metrics that you wish to collect and keep in shared memory for retrieval.
# Supported metrics classes are:
#   authtype        Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc.
#   authn           Authentication request creation and response processing.
#   authz           Authorization errors per OIDCUnAutzAction (per Require statement, not overall).
#   require.claim   Match/failure count of Require claim directives (per Require statement, not overall).
#   provider        Requests to the provider [token, userinfo, metadata] endpoints.
#   session         Existing session processing.
#   cache           Cache read/write timings and errors.
#   redirect_uri    Requests to the Redirect URI, per type.
#   content         Requests to the content handler, per type of request: info, metrics, jwks, etc.
# When not defined no metrics will be recorded.
#OIDCMetricsData [ authtype | authn | authz | require.claim | requests | session | cache | redirect_uri | content ]+

# Specify the path where metrics are published and can be consumed.
# The format parameter can be passed to specify the format in which the collected data is returned.
#   format=prometheus  Prometheus text-based exporter
#   format=json        (non-standard) JSON with descriptions and names
#   format=status      short text based status message "OK" plus optional counter (&vhost=<vhost>&counter=<name>)
#   format=internal    internal terse JSON for debugging purposes
# The default is "prometheus".
# Protect protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port.
# When not defined, no metrics will be published on the enclosing vhost.
#OIDCMetricsPublish <path>

# Set a traceparent HTTP header on outgoing requests to the provider and proxied requests.
#   propagate: propagate any existing traceparent header on requests to the Provider (it's proxied as it is)
#   generate:  generate a traceparent header, possibly overwriting an existing one
# The default is "off": do not propagate, add (or overwrite) a traceparent header.
#OIDCTraceParent off | generate | propagate

# Specify claims that should be removed from the userinfo and/or id_token before storing them in the session.
# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims
# When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used.
#OIDCBlackListedClaims [<claim>]+

# Specify claims from the userinfo and/or id_token that should be stored in the session (all other claims will be discarded).
# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims
# When not defined no claims are whitelisted and all claims are stored except when blacklisted with OIDCBlackListedClaims.
#OIDCWhiteListedClaims [<claim>]+

# Specify the minimum time-to-live for the access token stored in the OIDC session.
# When the access token expiry timestamp (at least the hint given to that) is less than this value,
# an attempt will be made to refresh the access token using the refresh token grant type towards the OP.
# This only has an effect if a refresh token was actually returned from the OP and an "expires_in" hint
# was returned as part of the authorization response and subsequent refresh token responses.
# When not defined no attempt is made to refresh the access token (unless implicitly through OIDCUserInfoRefreshInterval)
# The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails.
# The optional authenticate_on_error flag sends the user for authentication when the refresh fails.
#OIDCRefreshAccessTokenBeforeExpiry <seconds> [logout_on_error | authenticate_on_error | 502_on_error]

# Defines which headers will be used as the "state" input for calculating the fingerprint of the browser
# during authentication. When not defined the default "user-agent" is used.
#OIDCStateInputHeaders [user-agent|x-forwarded-for|both|none]

# Define one or more regular expressions that specify URLs (or domains) allowed for post logout and
# other redirects such as the "return_to" value on refresh token requests, the "login_uri" value
# on session management based logins through the OP iframe, and the "target_link_uri" parameter in
# 3rd-party initiated logins, e.g.:
#   OIDCRedirectURLsAllowed ^https://www\.example\.com ^https://(\w+)\.example\.org ^https://example\.net/app
# or:
#   OIDCRedirectURLsAllowed ^https://www\.example\.com/logout$ ^https://www\.example\.com/app/return_to$
# When not defined, the default is to match the hostname in the URL redirected to against
# the hostname in the current request.
#OIDCRedirectURLsAllowed [<regexp>]+

# Defines the value of the X-Frame-Options header returned on OIDC front-channel logout requests.
# See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.
# For example: 
#   OIDCLogoutXFrameOptions: sameorigin
# or:
#   OIDCLogoutXFrameOptions: allow-from https://provider.example.com/
# When not defined the default is "DENY".
#OIDCLogoutXFrameOptions <value>

# Define the X-Forwarded-* or Forwarded headers that will be taken into account as set by a reverse proxy
# in front of mod_auth_openidc. Must be one or more of:
#  X-Forwarded-Host
#  X-Forwarded-Port
#  X-Forwarded-Proto
#  Forwarded
#  none
# When not defined or "none", such headers will be ignored.
#OIDCXForwardedHeaders <header>+