Tommy Tommy - 1 month ago 19
Apache Configuration Question

authentication for custom web application with mod_auth_openidc

I have a basic web application which runs on apache 2.2 and doesnt have any authentication. the site content is static webpage. Our small organization is currently working on implementing mod_auth_openidc for all the websites. I wanted to implement mod_auth_openidc authentication on top of basic static web application. How can i achieve it. I am newbie to apache configuration and mod_auth_openidc. I googled around for some articles to implement it but i couldnt find any. I have created a static account for my application on Oauth2 server. Can someone point me in right direction on how to enable authentication for my static web page application with mod_auth_openidc and mod_proxy configuration. Thanks in advance.

<Location />
AuthType openid-connect
Require valid-user
</Location>
OIDCProviderMetadataURL https://example.com/fss/.well-known/openid-configuration
OIDCClientID ExampleCorp_Prod_web01
OIDCClientSecret <client-secret>
OIDCRedirectURI http://<ip>/redirect_uri
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
ProxyPass / http://<ip>:8080/ nocanon
ProxyPassReverse / http://<ip>:8080/
ProxyRequests Off
AllowEncodedSlashes on
<Proxy http://<ip>:8080/*>
</Proxy>
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
LoadModule auth_openidc_module modules/mod_auth_openidc.so

Answer

There are examples in the README on the Github project pages: https://github.com/pingidentity/mod_auth_openidc. Assuming the static webpages lives on /example, in your specific (PingFederate) example it would be something like:

OIDCProviderMetadataURL https://<pingfederate-host>:9031/.well-known/openid-configuration

OIDCClientID <client-id-as-registered-with-pingfederate>
OIDCClientSecret <client-secret-as-registered-with-pingfederate>

OIDCRedirectURI https://<your-apache-host>/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCScope "openid email profile"

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

A complete working example based on the OPs environment:

Listen 80
User www
Group www
DocumentRoot /opt/local/apache2/htdocs/
ErrorLog "logs/error_log"
LogLevel info
ServerName example.org

LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_user_module   modules/mod_authz_user.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<Location />
   AuthType openid-connect
   Require valid-user
</Location>

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID myclientid
OIDCClientSecret mysecret
OIDCRedirectURI http://example.org/protected/
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /

ProxyPass /  http://192.168.10.1:80/ nocanon
ProxyPassReverse / http://192.168.10.1:80/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://192.168.10.1:8080/*>
</Proxy>

OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_