5

I have mod_auth_openidc working on centos7 but cannot find the documentation that references how to extract passed user information.

My logs show that the module is performing the following interrogations 

oidc_authz_match_claim: evaluating key "nickname"
oidc_authz_match_claim: evaluating key "email"
oidc_authz_match_claim: evaluating key "user_id"
oidc_authz_match_claim: evaluating key "identities"
oidc_authz_match_claim: evaluating key "iat"
oidc_authz_match_claim: evaluating key "picture"
oidc_authz_match_claim: evaluating key "last_password_reset"
oidc_authz_match_claim: evaluating key "name"
oidc_authz_match_claim: evaluating key "created_at"
oidc_authz_match_claim: evaluating key "app_metadata"
oidc_authz_match_claim: evaluating key "email_verified"
oidc_authz_match_claim: evaluating key "clientID"
oidc_authz_match_claim: evaluating key "folders"

I have tried setting both of the following in httpd.conf

OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email

then using <?php echo $_SESSION['REMOTE_USER']; ?> but I am not getting any variables being returned.

thanks Art

Improve this question

1 Answer 1

Reset to default
4

In the default setup the email claim is available both as an environment variable:

echo $_SERVER['OIDC_CLAIM_email']

and as an HTTP header:

$hdrs = apache_request_headers();
echo $hdrs['OIDC_CLAIM_email'];

the REMOTE_USER variable is accessible through:

$_SERVER['REMOTE_USER'];

and will be set to a globally unique identifier by default but is configurable through the OIDCRemoteUserClaim directive as you showed. A few remarks about the setup:

  1. You'll note that the HTTP headers are also available in the environment variables, with their variable names prefixed with HTTP_ and uppercased e.g.
    $_SERVER['HTTP_OIDC_CLAIM_EMAIL'];

  2. You can configure the behavior around passing claims in headers and/or environment variables through various configuration directives

  3. The variables will of course only exist if the associated claim was present in the id_token or returned from the user info endpoint

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Your answer pointed me to my basic error using SESSION instead of SERVER, but the tips on OIDC_CLAIM_* will change the approach to our architecture to simplify the process. Thanks for the detailed answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.