OIDC configuration for Apache
If your website or application is hosted on Apache web server, there are several options to configure it with OIDC behind CERN SSO:
- For Apache-based web applications that are behind the SSO, you may consider the CERNSSO Apache module
- If you are already using the "apache" puppet module, you can simply include the
mod_auth_openidcsub-module in your manifest:include ::apache::mod::auth_openidc.
Configuration:
- To configure OIDC, you need to define the following in your configuration files or puppet code:
OIDCProviderMetadataURL https://auth.cern.ch/auth/realms/cern/.well-known/openid-configuration OIDCRedirectURI https://myserver.cern.ch/myapp/redirect_uri OIDCClientID myclientid OIDCClientSecret myclientsecret OIDCCryptoPassphrase mycrytopassphrase OIDCProviderTokenEndpointAuth client_secret_basic OIDCRemoteUserClaim email - NB: If you do this with Puppet, please use tbag/teigi for your secrets! You may also wish to change some of these parameters depending on your application.
- If you have a more complex web application that mixes public and private pages, you can use the location directive to protect pages. E.g.
<Location /private/> AuthType openid-connect Require claim cern_roles:admin </Location> - If you want your web application to accept not only standard SSO browser-based logins, but also OIDC tokens, then you need to configure it as an OAuth 2.0 Resource Server. Ideally, it should be done with a separate module,
mod_oauth2(however, it is not covered by this documentation). The alternative is to use a deprecated feature ofmod_auth_openidcmodule, adding the following to your configuration (as explained in the docs):OIDCOAuthServerMetadataURL https://auth.cern.ch/auth/realms/cern/.well-known/openid-configuration OIDCOAuthVerifyJwksUri https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs