Integrating with the Apache mod_auth_openidc module
On this page
Overview
This guide provides details on configuration of The Curity Identity Server working in conjunction with the mod_auth_openidc module to protect an application running in Apache.
The mod_auth_openidc module functions as an OpenID Connect Relying Party (RP) and enables authentication against an OpenID Connect Provider, in this case The Curity Identity Server.
The module is configured to protect an application and with that requires an access token in order for access to be granted. If no token is available the module will redirect to The Curity Identity Server for authentication and if successful, grant a token. The token is then used to gain access to the protected application(s).
Claims from the token are passed to the protected application and are checked against the configuration in order for access to be granted.
Prerequisites
- An installation of The Curity Identity Server
- A configured client as outlined by this tutorial Code Flow
- An Authenticator that the Client can use, see this tutorial for an example Username Password Authenticator
- Apache httpd with the mod_auth_openidc module installed.
If you do not have an installation of The Curity Identity Server, follow this tutorial installation of The Curity Identity Server and configure the installation by running the Basic Setup Wizard as outlined in this tutorial Basic Setup Wizard.
Configure mod_auth_openidc
Module Configuration
The OpenID Connect client is configured in auth_openidc.conf. The table below outlines some of the parameters. Further details and documentation in auth_openidc.conf.
| Parameter | Description | Example |
|---|---|---|
OIDCRedirectURI | Where the user-agent will be redirected to after successful authentication. Can be an absolute or relative path. | /protected https://apache-server/protected |
OIDCCryptoPassphrase | Module specific and used for crypto purposes to protect cookies and cache entries. | Can be any value |
OIDCProviderMetadataURL | The OpenID Connect Provider Metadata URL of The Curity Identity Server. | https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration |
OIDCScope | Used to request specific scopes | openid email mycustomscope |
OIDCProviderIssuer | OpenID Connect Provider issuer identifier URL of The Curity Identity Server. | https://idsvr.example.com |
OIDCProviderAuthorizationEndpoint | OpenID Connect Provider Authorization Endpoint URL of The Curity Identity Server. | https://idsvr.example.com/oauth/v2/oauth-authorize |
OIDCProviderTokenEndpoint | OpenID Connect Provider Token Endpoint URL of The Curity Identity Server. | https://idsvr.example.com/oauth/v2/oauth-token |
auth_openidc.conf example snippet
OIDCRedirectURI /protectedOIDCCryptoPassphrase MyPa$$phraseOIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configurationOIDCScope "openid email mycustomscope"
Apache configuration
The Apache configuration parameters are outlined below.
| Parameter | Description | Example |
|---|---|---|
OIDCProviderMetadataURL | The OpenID Connect Provider Metadata URL of The Curity Identity Server. | https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration |
OIDCRedirectURI | Where the user-agent will be redirected to after successful authentication. Can be an absolute or relative path. | /protected https://apache-server/protected |
OIDCClientID | The client configured in The Curity Identity Server. | mod-auth-client |
OIDCClientSecret | The secret of the client configured in The Curity Identity Server. | Can be any value |
OIDCCryptoPassphrase | Module specific and used for crypto purposes to protect cookies and cache entries. | Can be any value |
Location | Configuration element for what is protected. | <Location /protected> AuthType openid-connect Require valid-user </Location> |
Protected locations can be specified. The example below has configured both /protected and /restricted. The /restricted location also requires a claim named read_restricted with the value of true in order for access to be granted.
openidc.conf example snippet
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configurationOIDCRedirectURI /protectedOIDCClientID mod-auth-clientOIDCClientSecret MyPa$$w0rdOIDCCryptoPassphrase MyPa$$phrase<Location /protected>AuthType openid-connectRequire valid-user</Location><Location /restricted>AuthType openid-connectRequire claim read_restricted:true</Location>
Conclusion
The mod_auth_openidc module is a trivial way of protecting web applications deployed in the Apache web server using The Curity Identity Server as an OP. The configuration in the server is very straight forward and without any custom additions can be used to achieve this integration.
Resources
The mod_auth_openidc Apache module.
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
