2

I have a basic web application which runs on apache 2.2 and doesn't have any authentication. The site content is a static webpage.
Our small organization is currently working on implementing mod_auth_openidc for all the websites.
I wanted to implement mod_auth_openidc authentication on top of basic static web application.

How can I achieve it?
I am newbie to apache configuration and mod_auth_openidc. I Googled around for some articles to implement it but I couldn't find any. I have created a static account for my application on Oauth2 server.

Can someone point me in right direction on how to enable authentication for my static web page application with mod_auth_openidc and mod_proxy configuration?

<Location />
   AuthType openid-connect
   Require valid-user
</Location>
OIDCProviderMetadataURL https://example.com/fss/.well-known/openid-configuration
OIDCClientID ExampleCorp_Prod_web01
OIDCClientSecret <client-secret>
OIDCRedirectURI http://<ip>/redirect_uri
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
ProxyPass /  http://<ip>:8080/ nocanon
ProxyPassReverse / http://<ip>:8080/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://<ip>:8080/*>
</Proxy>
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
LoadModule auth_openidc_module modules/mod_auth_openidc.so
Improve this question
2
  • what provider would you configure against? Commented Apr 16, 2016 at 9:35
  • Hi Hans, We are using pingfederate Commented Apr 17, 2016 at 4:51

1 Answer 1

Reset to default
5

There are examples in the README on the Github project pages: https://github.com/zmartzone/mod_auth_openidc. Assuming the static webpages lives on /example, in your specific (PingFederate) example it would be something like:

OIDCProviderMetadataURL https://<pingfederate-host>:9031/.well-known/openid-configuration

OIDCClientID <client-id-as-registered-with-pingfederate>
OIDCClientSecret <client-secret-as-registered-with-pingfederate>

OIDCRedirectURI https://<your-apache-host>/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCScope "openid email profile"

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

A complete working example based on the OPs environment:

Listen 80
User www
Group www
DocumentRoot /opt/local/apache2/htdocs/
ErrorLog "logs/error_log"
LogLevel info
ServerName example.org

LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_user_module   modules/mod_authz_user.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<Location />
   AuthType openid-connect
   Require valid-user
</Location>

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID myclientid
OIDCClientSecret mysecret
OIDCRedirectURI http://example.org/protected/
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /

ProxyPass /  http://192.168.10.1:80/ nocanon
ProxyPassReverse / http://192.168.10.1:80/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://192.168.10.1:8080/*>
</Proxy>

OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

Hi Hans, thanks for the information provided. I am trying to use a hello world page behind the openidc login. I have used an example from openidc wiki 10.
i am using the below url for configuring a hello world web page with mod_auth_openidc+mod_proxy+hello world program github.com/pingidentity/mod_auth_openidc/…. but i am seeing "401 authorization error"
and logs show me oidc_unsolicited_proto_state: could not parse JWT from state: invalid unsolicited response: [src/jose/apr_jwt.c:177: apr_jwt_base64url_decode_object]: JSON parsing (json_loads) failed: '[' or '{' expected near 'l' (l\\\xb4\xe7r\x12\x97\xec\x0e\x1d\xea\xde\x8az\xe5|\xccb\xf0\xcd)\n oidc_authorization_response_match_state: unable to restore state oidc_handle_authorization_response: invalid authorization response state and no default SSO URL is set, sending an error... very sorry for the mixed log and short comments. I am unable to create a next line at each comment
don't access the redirect_uri directly; that's a vanity URL that is used only by the module itself
Oh my bad, thank you..almost there... i have correct the url i am hitting now. but i still see "Authrization error 401" and i have set up loglevel to debug. but i dont see any errors related to oidc now.. but when i disable oidc config template and httpd restart. i see the hello world back. Do i have to setup any basic authentication on static webpage? please suggest
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.