Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersConfiguring OIDC with Apache and PHP using mod_auth_openidc... questions.
Aaroona

3204 posts

Uber Geek
+1 received by user: 169


#302483 26-Nov-2022 21:04
Send private message

I have been playing with Keycloak and integration OIDC into apache to protect some parts of a test website. Mainly a learning activity more than anything else.

 

Everything was going fairly well - have managed to get OIDC auth setup for specific subdirectories on a website, it redirects and allows me to login. Then I can use php to access the $_SERVER[OIDC*] claims passed back to a page beneath that directory (or another protected directory that also has OIDC configured for).

 

There are two parts that have me confused though.

 

     

  1. How can I access the OIDC claims for a part of the website that is not using the <location> Require valid-user </location>?

     

    • The use case here is wanting to allow www.example.com to be accessible without auth, but then if you are authenticated, then I can access the OIDC claims to display specific content to you in pages written in php.
    • If I auth to example.com/subdirectory/ which is protected by OIDC auth only (no anonymous login) I am forced to login.
    • If I then browse to example.com/, I cannot access the OIDC information.
  2. What exactly is the redirect_uri for? what should it be set to? I cant seem to find a succinct answer to this question?

 

 

 

Anyone have any ideas? This stuff is reasonably fresh to me.

Create new topic
Aaroona

3204 posts

Uber Geek
+1 received by user: 169


  #3001836 26-Nov-2022 22:00
Send private message

In typical fashion, despite having tried to work it out before I posted... I found the answer to question 1. 

 

There is a specific option I need to declare in my <location> block - OIDCUnAuthAction. This Google groups page here pointed me in the right direction

 

For my mixed auth content where I want to allow anonymous as well as authenticated I need to use  "OIDCUnAuthAction pass". Then for my login location, or explicitly protected content/locations, I specify "OIDCUnAuthAction auth" which forces a login via OIDC. Once I am authenticated, my OIDC claims are passed through to be used, so I can display different content for an authenticated user.

 

 

 

<Location />

 

  AuthType openid-connect

 

  Require valid-user

 

  OIDCUnAuthAction pass

 

</Location>

 

 

 

<Location /login>

 

  AuthType openid-connect

 

  Require valid-user

 

  OIDCUnAuthAction auth

 

</Location>

 

 

 

 



marpada
487 posts

Ultimate Geek
+1 received by user: 182


  #3002003 27-Nov-2022 11:37
Send private message

Aaroona:

 

  • What exactly is the redirect_uri for? what should it be set to? I cant seem to find a succinct answer to this question?

   

 

 

 

If I understand correctly that URLs is the callback. The user is redirected to it after a successful authentication so your site can validate the access token.According to the README

 

 

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content

 

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright