-
Notifications
You must be signed in to change notification settings - Fork 326
Multiple Providers
Sample configuration for multiple OpenID Connect providers, which triggers OpenID
Connect Discovery first to find the user's OP. OIDCMetadataDir
points to a directory that contains files that contain per-provider
configuration data.
OIDCMetadataDir <somewhere-writable-for-the-apache-process>/metadata
OIDCRedirectURI https://www.example.com/example/redirect_uri/
OIDCCryptoPassphrase <password>
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
For each provider, there are 3 types of files in the directory:
-
<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.provider
contains (standardized) OpenID Connect Discovery OP JSON metadata where each name of the file is the url-encoded issuer name of the OP that is described by the metadata in that file. -
<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.client
contains statically configured or dynamically registered Dynamic Client Registration specific JSON metadata (based on the OpenID Connect Client Registration specification) and the filename is the url-encoded issuer name of the OP that this client is registered with. Sample client metadata for issuerhttps://localhost:9031
, so the client metadata filename islocalhost%3A9031.client
:{ "client_id" : "ac_oic_client", "client_secret" : "abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication" }
-
<urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.conf
contains mod_auth_openidc specific custom JSON metadata that can be used to overrule some of the settings defined inauth_openidc.conf
on a per-client basis. The filename is the URL-encoded issuer name of the OP that this client is registered with.
The .conf
file is used to configure OP specific behavior that overrules generic configuration primitives.
Entries that can be included in the .conf
file are:
-
ssl_validate_server
Overrides
OIDCSSLValidateServer
(value 0 or 1, On/Off or boolean). -
scope
Overrides
OIDCScope
. -
response_type
Overrides
OIDCResponseType
. -
response_mode
Overrides
OIDCResponseMode
. -
pkce_method
Overrides
OIDCPKCEMethod
. -
client_name
Overrides
OIDCClientName
. -
client_contact
Overrides
OIDCClientContact
. -
idtoken_iat_slack
Overrides
OIDCIDTokenIatSlack
. -
session_max_duration
Overrides
OIDCSessionMaxDuration
. -
jwks_refresh_interval
Overrides
OIDCJWKSRefreshInterval
. -
client_jwks_uri
Overrides
OIDCClientJwksUri
. -
id_token_signed_response_alg
Overrides
OIDCIDTokenSignedResponseAlg
. -
id_token_encrypted_response_alg
Overrides
OIDCIDTokenEncryptedResponseAlg
. -
id_token_encrypted_response_enc
Overrides
OIDCIDTokenEncryptedResponseEnc
. -
userinfo_signed_response_alg
Overrides
OIDCUserInfoSignedResponseAlg
. -
userinfo_encrypted_response_alg
Overrides
OIDCUserInfoEncryptedResponseAlg
. -
userinfo_encrypted_response_enc
Overrides
OIDCUserInfoEncryptedResponseEnc
. -
auth_request_params
Overrides
OIDCAuthRequestParams
. -
token_endpoint_params
Overrides
OIDCProviderTokenEndpointParams
. -
token_endpoint_auth
Overrides
OIDCProviderTokenEndpointAuth
. -
registration_endpoint_json
Overrides
OIDCProviderRegistrationEndpointJson
. -
userinfo_refresh_interval
Overrides
OIDCUserInfoRefreshInterval
. -
userinfo_token_method
Overrides
OIDCUserInfoTokenMethod
. -
request_object
Overrides
OIDCRequestObject
. -
auth_request_method
Overrides
OIDCProviderAuthRequestMethod
. -
registration_token
(only in multi-provider setups)
An access_token that will be used on client registration calls for the associated OP.
-
issuer_specific_redirect_uri
(only in multi-provider setups)
Indicates whether an issuer specific redirect URI will be used to mitigate the IDP mixup attack; see https://github.com/pingidentity/mod_auth_openidc/issues/291; when enabled, a query parameter "iss" will be added dynamically to the redirect URI with the value of the url-encoded issuer identifier (boolean) [since version 2.3.2rc6).
-
keys
(only in multi-provider setups, since version 2.4.0)
A set of JWKs that is used to sign, encrypt and decrypt tokens exchanged with the OpenID Connect Provider. See RFC 7517 for syntax and examples.
Below is sample client metadata for issuer https://localhost:9031
, so the mod_auth_openidc
configuration filename is localhost%3A9031.conf
:
{
"ssl_validate_server" : 0,
"scope" : "openid email profile"
}
If you do not want to use the internal discovery page (you really shouldn't...), you
can have the user being redirected to an external discovery page by setting
OIDCDiscoverURL
. That URL will be accessed with a number parameters: oidc_callback
, target_link_uri
,
method
and x_csrf
. All parameters (except oidc_callback
) need to be returned to the oidc_callback
URL
together with an iss
parameter that contains the URL-encoded issuer value of the selected Provider, or a
URL-encoded account name for OpenID Connect Discovery purposes (aka. e-mail style identifier), or a domain name.
Sample callback:
<oidc_callback>?target_link_uri=<target_link_uri>&iss=[<issuer>|<domain>|<e-mail-style-account-name>][&login_hint=<name>][&scopes=<space-separated-scopes>][&auth_request_params=<urlencoded-query-string>]
This is also the OpenID Connect specified way of triggering 3rd party initiated SSO to a specific provider when multiple OPs have been configured. In that case the callback may also contain a "login_hint" parameter with the login identifier the user might use to log in.
An additional mod_auth_openidc specific parameter named auth_request_params
may also be passed
in, see the Wiki
for its usage.
If you need to restrict certain Locations to a single provider and you want to skip the Discovery page for those locations, immediately redirecting the the appropriate Provider, see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#3-access-to-different-url-paths-on-a-per-provider-basis