This example uses the mod_auth_openidc component on CentOS7.

It takes users to an attributes page after login and displays the claims/values that have been passed.

As with all of these examples, it can only show you the very basics.

Goal in this example

Authenticate a user and display all the received claims on a page. In the real world you would read the claims and feed them into your authorisation / user-session management process.

Instructions

  1. Install mod_auth_openidc

    sudo yum install mod_auth_openidc
    CODE
  2. Configure a vhost, e.g. at: /etc/httpd/conf.d/openidc.conf

    NameVirtualHost *:80
    
    <VirtualHost *:80>
        ServerAdmin webmaster@example.com
        ServerName yourserver.net
        ServerAlias www.yourserver.net
        DocumentRoot /var/www/html/
        DirectoryIndex yourpage.html
        ErrorLog /var/log/oidc/error.log
        CustomLog /var/log/oidc/access.log combined
    
        OIDCProviderMetadataURL https://connect.openathens.net/.well-known/openid-configuration
        OIDCClientID YOUR_OPENATHENS_CLIENT_ID
        OIDCClientSecret YOUR_OPENATHENS_CLIENT_SECRET
        OIDCRedirectURI http://yourserver/protected/redirect_uri
        OIDCCryptoPassphrase <password>
        OIDCJWKSRefreshInterval 3600
    
        <Location /protected/>
           AuthType openid-connect
           Require valid-user
        </Location>
    
    </VirtualHost>
    CODE

    There are three sections in the example above - first the general bits for your server, then the OIDC configuration parts and finally a location where OIDC is required

  3. Create a target page below the /protected/ location. This example php page will read the system variables created by the OIDC module and display them:

    <!DOCTYPE html>
    <html lang="en">
    
    <head>
    
       <meta charset="utf-8">
       <meta http-equiv="X-UA-Compatible" content="IE=edge">
       <meta name="viewport" content="width=device-width, initial-scale=1">
       <meta name="description" content="">
       <meta name="author" content="">
    
       <title>OpenID Connect: Received Claims</title>
    
    </head>
    
    <body>
    
             <h3>
                Claims sent back from OpenID Connect via the Apache module
             </h3>
             <br/>
    
    
       <!-- OpenAthens attribtues -->
          <?php session_start(); ?>
    
             <h2>Claims</h2>
             <br/>
             <div class="row">
    
                   <table class="table" style="width:80%;" border="1">
                     <?php foreach ($_SERVER as $key=>$value): ?>
                        <?php if ( preg_match("/OIDC_/i", $key) ): ?>
                           <tr>
                              <td data-toggle="tooltip" title=<?php echo $key; ?>><?php echo $key; ?></td>
                              <td data-toggle="tooltip" title=<?php echo $value; ?>><?php echo $value; ?></td>
                           </tr>
                        <?php endif; ?>
                     <?php endforeach; ?>
                   </table>
    
    </body>
    
    </html>
    CODE
  4. Restart Apache ( > systemctl restart httpd)

  5. Go to the target page in a browser.

  6. Get sent to an OpenAthens sign-in page.

  7. Sign in and get sent back to the attributes page.