Integrating with the Apache mod_auth_openidc module

Integrating with the Apache mod_auth_openidc module

tutorials

Overview

This guide provides details on configuration of the Curity Identity Server working in conjunction with the mod_auth_openidc module to protect an application running in Apache.

The mod_auth_openidc module functions as an OpenID Connect Relying Party (RP) and enables authentication against an OpenID Connect Provider, in this case Curity.

The module is configured to protect an application and with that requires an access token in order for access to be granted. If no token is available the module will redirect to the Curity Identity Server for authentication and if successful, grant a token. The token is then used to gain access to the protected application(s).

Claims from the token are passed to the protected application and are checked against the configuration in order for access to be granted.

Prerequisites

If you do not have an installation of the Curity Identity Server, follow this tutorial installation of the Curity Identity Server and configure the installation by running Curity Basic Setup Wizard as outlined in this tutorial Curity Basic Setup Wizard.

Configure mod_auth_openidc

Module Configuration

The OpenID Connect client is configured in auth_openidc.conf. The table below outlines some of the parameters. Further details and documentation in auth_openidc.conf.

ParameterDescriptionExample
OIDCRedirectURIWhere the user-agent will be redirected to after successful authentication. Can be an absolute or relative path./protected https://apache-server/protected
OIDCCryptoPassphraseModule specific and used for crypto purposes to protect cookies and cache entries.Can be any value
OIDCProviderMetadataURLThe OpenID Connect Provider Metadata URL of the Curity Identity Server.https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCScopeUsed to request specific scopesopenid email mycustomscope
OIDCProviderIssuerOpenID Connect Provider issuer identifier URL of the Curity Identity Server.https://idsvr.example.com
OIDCProviderAuthorizationEndpointOpenID Connect Provider Authorization Endpoint URL of the Curity Identity Server.https://idsvr.example.com/oauth/v2/oauth-authorize
OIDCProviderTokenEndpointOpenID Connect Provider Token Endpoint URL of the Curity Identity Server.https://idsvr.example.com/oauth/v2/oauth-token

auth_openidc.conf example snippet

1
2
3
4
OIDCRedirectURI /protected
OIDCCryptoPassphrase MyPa$$phrase
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCScope "openid email mycustomscope"

Apache configuration

The Apache configuration parameters are outlined below.

ParameterDescriptionExample
OIDCProviderMetadataURLThe OpenID Connect Provider Metadata URL of the Curity Identity Server.https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCRedirectURIWhere the user-agent will be redirected to after successful authentication. Can be an absolute or relative path./protected https://apache-server/protected
OIDCClientIDThe client configured in Curity Identity Server.mod-auth-client
OIDCClientSecretThe secret of the client configured in Curity Identity Server.Can be any value
OIDCCryptoPassphraseModule specific and used for crypto purposes to protect cookies and cache entries.Can be any value
LocationConfiguration element for what is protected.<Location /protected>
     AuthType openid-connect
     Require valid-user
</Location>

Protected locations can be specified. The example below has configured both /protected and /restricted. The /restricted location also requires a claim named read_restricted with the value of true in order for access to be granted.

openidc.conf example snippet

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCRedirectURI /protected
OIDCClientID mod-auth-client
OIDCClientSecret MyPa$$w0rd
OIDCCryptoPassphrase MyPa$$phrase

<Location /protected>
  AuthType openid-connect
  Require valid-user
</Location>

<Location /restricted>
  AuthType openid-connect
  Require claim read_restricted:true
</Location>

Conclusion

The mod_auth_openidc module is a trivial way of protecting web applications deployed in the Apache web server using the Curity Identity Server as an RP. The configuration in Curity is very straight forward without any custom additions can be used to achieve this integration.

Resources

The mod_auth_openidc Apache module.

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Was this page helpful?