Apache OpenID Connect example

This example uses the mod_auth_openidc component on CentOS7.

• mod_auth_openidc: Details at https://github.com/zmartzone/mod_auth_openidc

It takes users to an attributes page after login and displays the claims/values that have been passed.

As with all of these examples, it can only show you the very basics.

Goal in this example

Authenticate a user and display all the received claims on a page. In the real world you would read the claims and feed them into your authorisation / user-session management process.

Instructions

1. Install mod_auth_openidc
   
   

   CODE

   sudo yum install mod_auth_openidc

2. Configure a vhost, e.g. at: /etc/httpd/conf.d/openidc.conf

   CODE

   NameVirtualHost *:80
   
   <VirtualHost *:80>
       ServerAdmin webmaster@example.com
       ServerName yourserver.net
       ServerAlias www.yourserver.net
       DocumentRoot /var/www/html/
       DirectoryIndex yourpage.html
       ErrorLog /var/log/oidc/error.log
       CustomLog /var/log/oidc/access.log combined
   
       OIDCProviderMetadataURL https://connect.openathens.net/.well-known/openid-configuration
       OIDCClientID YOUR_OPENATHENS_CLIENT_ID
       OIDCClientSecret YOUR_OPENATHENS_CLIENT_SECRET
       OIDCRedirectURI http://yourserver/protected/redirect_uri
       OIDCCryptoPassphrase <password>
       OIDCJWKSRefreshInterval 3600
   
       <Location /protected/>
          AuthType openid-connect
          Require valid-user
       </Location>
   
   </VirtualHost>

   There are three sections in the example above - first the general bits for your server, then the OIDC configuration parts and finally a location where OIDC is required
   
   

3. Create a target page below the /protected/ location. This example php page will read the system variables created by the OIDC module and display them:
   
   

   CODE

   <!DOCTYPE html>
   <html lang="en">
   
   <head>
   
      <meta charset="utf-8">
      <meta http-equiv="X-UA-Compatible" content="IE=edge">
      <meta name="viewport" content="width=device-width, initial-scale=1">
      <meta name="description" content="">
      <meta name="author" content="">
   
      <title>OpenID Connect: Received Claims</title>
   
   </head>
   
   <body>
   
            <h3>
               Claims sent back from OpenID Connect via the Apache module
            </h3>
            <br/>
   
   
      <!-- OpenAthens attribtues -->
         <?php session_start(); ?>
   
            <h2>Claims</h2>
            <br/>
            <div class="row">
   
                  <table class="table" style="width:80%;" border="1">
                    <?php foreach ($_SERVER as $key=>$value): ?>
                       <?php if ( preg_match("/OIDC_/i", $key) ): ?>
                          <tr>
                             <td data-toggle="tooltip" title=<?php echo $key; ?>><?php echo $key; ?></td>
                             <td data-toggle="tooltip" title=<?php echo $value; ?>><?php echo $value; ?></td>
                          </tr>
                       <?php endif; ?>
                    <?php endforeach; ?>
                  </table>
   
   </body>
   
   </html>

4. Restart Apache ( > systemctl restart httpd)
   
   
5. Go to the target page in a browser.
   
   
6. Get sent to an OpenAthens sign-in page.
   
   
7. Sign in and get sent back to the attributes page.