OpenID Connect (OIDC) with Apache

A knowledge base article about OpenID Connect (OIDC) with Apache provided by the UC Berkeley IT Service Hub - Knowledge Portal

Background

The Apache HTTP server can be configured to integrate with CalNet SSO.  This is a convenient way to secure applications that do not have built-in support for various SSO protocols. The mod_auth_openidc authentication and authorization module is a modern and standards-based module for Apache that implements the OIDC Relying Party functionality.

mod_auth_openidc is recommended over both mod_auth_cas and mod_auth_mellon because it is standards based and generally easier to configure.

Example Configuration

These are the high level steps to configuring mod_auth_openidc for Apache. Here is a simple working example.

  1. Submit an SSO service request for OIDC with the CalNet team.
  2. Once you have the ClientID and ClientSecret add mod_auth_openidc to your Apache configuration.
  3. Use the Berkeley OIDC OP metadata download URL for either test or production.

    # use auth-test for non-prod / QA systems
OIDCProviderMetadataURL https://auth-test.berkeley.edu/cas/oidc/.well-known/openid-configuration

# use auth.berkeley.edu for production systems or if you do not have non-prod / QA
OIDCProviderMetadataURL https://auth.berkeley.edu/cas/oidc/.well-known/openid-configuration
  4. Add your application's redirect uri that was registered with CalNet.

    # Note that /secure/callback uri is managed by the mod_auth_openidc module and not created by you.
OIDCRedirectURI https://${YOUR_SERVER_FQDN}/redirect_uri
  5. Add the secrets provided by the CalNet team.

    OIDCClientID ${YOUR_OIDC_CLIENT_ID}
OIDCClientSecret ${YOUR_OIDC_CLIENT_SECRET}

# This is a unique and strong passphrase generated by you to secure internal session cookies
OIDCCryptoPassphrase ${A_VERY_STRONG_AND_RANDOM_PASSPHRASE_HERE
  6. Add the OIDC scope based on the attributes you need.  Note that openid is required.  Also add the requirement for the PKCE layer of security.

    OIDCScope "openid profile"
OIDCPKCEMethod S256
  7. You must minimally add protection for the secure callback URL specified in the OIDCRedirectURI parameter above.

    # OIDCRedirectURI is configured to point to /redirect_uri,
# so this location block handles the callback.  It does not need to exist
# for real as it is handled by the security module.
<Location "/redirect_uri">
    AuthType openid-connect
    Require valid-user
</Location>


Protecting your application

The following examples will make it so that your application redirects users for authentication.

Protect the entire site

<Location />
    AuthType openid-connect
    Require valid-user
</Location>

Protect a specific location and require group membership

<Location "/example" >
    AuthType openid-connect
    Require claim "group~cn=edu:berkeley:official:employees:staff:professional.*$
</Location>