art vanderlay art vanderlay - 2 months ago 22
Apache Configuration Question

mod_auth_openidc how to access user variables for use in PHP

I have

mod_auth_openidc
working on
centos7
but cannot find the documentation that references how to extract passed user information.

My logs show that the module is performing the following interrogations

oidc_authz_match_claim: evaluating key "nickname"
oidc_authz_match_claim: evaluating key "email"
oidc_authz_match_claim: evaluating key "user_id"
oidc_authz_match_claim: evaluating key "identities"
oidc_authz_match_claim: evaluating key "iat"
oidc_authz_match_claim: evaluating key "picture"
oidc_authz_match_claim: evaluating key "last_password_reset"
oidc_authz_match_claim: evaluating key "name"
oidc_authz_match_claim: evaluating key "created_at"
oidc_authz_match_claim: evaluating key "app_metadata"
oidc_authz_match_claim: evaluating key "email_verified"
oidc_authz_match_claim: evaluating key "clientID"
oidc_authz_match_claim: evaluating key "folders"


I have tried setting both of the following in httpd.conf

OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email


then using
<?php echo $_SESSION['REMOTE_USER']; ?>
but I am not getting any variables being returned.

thanks
Art

Answer

In the default setup the email claim is available both as an environment variable:

echo $_SERVER['OIDC_CLAIM_email']

and as an HTTP header:

$hdrs = apache_request_headers();
echo $hdrs['OIDC_CLAIM_email'];

the REMOTE_USER variable is accessible through:

$_SERVER['REMOTE_USER'];

and will be set to a globally unique identifier by default but is configurable through the OIDCRemoteUserClaim directive as you showed. A few remarks about the setup:

  1. You'll note that the HTTP headers are also available in the environment variables, with their variable names prefixed with HTTP_ and uppercased e.g.
    $_SERVER['HTTP_OIDC_CLAIM_EMAIL'];

  2. You can configure the behavior around passing claims in headers and/or environment variables through various configuration directives

  3. The variables will of course only exist if the associated claim was present in the id_token or returned from the user info endpoint

Comments