Reputation: 275
authentication for custom web application with mod_auth_openidc
I have a basic web application which runs on apache 2.2 and doesn't have any authentication. The site content is a static webpage.
Our small organization is currently working on implementing mod_auth_openidc for all the websites.
I wanted to implement mod_auth_openidc authentication on top of basic static web application.
How can I achieve it?
I am newbie to apache configuration and mod_auth_openidc. I Googled around for some articles to implement it but I couldn't find any. I have created a static account for my application on Oauth2 server.
Can someone point me in right direction on how to enable authentication for my static web page application with mod_auth_openidc and mod_proxy configuration?
<Location />
AuthType openid-connect
Require valid-user
</Location>
OIDCProviderMetadataURL https://example.com/fss/.well-known/openid-configuration
OIDCClientID ExampleCorp_Prod_web01
OIDCClientSecret <client-secret>
OIDCRedirectURI http://<ip>/redirect_uri
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
ProxyPass / http://<ip>:8080/ nocanon
ProxyPassReverse / http://<ip>:8080/
ProxyRequests Off
AllowEncodedSlashes on
<Proxy http://<ip>:8080/*>
</Proxy>
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
LoadModule auth_openidc_module modules/mod_auth_openidc.so
Upvotes: 2
Views: 9459
Answers (1)
Reputation: 53888
There are examples in the README on the Github project pages: https://github.com/zmartzone/mod_auth_openidc. Assuming the static webpages lives on /example, in your specific (PingFederate) example it would be something like:
OIDCProviderMetadataURL https://<pingfederate-host>:9031/.well-known/openid-configuration
OIDCClientID <client-id-as-registered-with-pingfederate>
OIDCClientSecret <client-secret-as-registered-with-pingfederate>
OIDCRedirectURI https://<your-apache-host>/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCScope "openid email profile"
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
A complete working example based on the OPs environment:
Listen 80
User www
Group www
DocumentRoot /opt/local/apache2/htdocs/
ErrorLog "logs/error_log"
LogLevel info
ServerName example.org
LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<Location />
AuthType openid-connect
Require valid-user
</Location>
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID myclientid
OIDCClientSecret mysecret
OIDCRedirectURI http://example.org/protected/
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
ProxyPass / http://192.168.10.1:80/ nocanon
ProxyPassReverse / http://192.168.10.1:80/
ProxyRequests Off
AllowEncodedSlashes on
<Proxy http://192.168.10.1:8080/*>
</Proxy>
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
Upvotes: 5
Related Questions
- mod_auth_openidc get claims as http headers for public location (all granted)
- Setup mod_proxy on apache http server
- mod_auth_openidc with Apache2.4 reverse proxy
- apache reverse proxy configuration
- Node JS & Apache HTTP
- apache 2 proxypassreverse appends virtualhost port
- Proxypass and ProxyPassReverse replication on centOS htaccess file
- Apache mod_proxy port redirect for game server?