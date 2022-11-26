Geekzone: technology news, blogs, forums
Configuring OIDC with Apache and PHP using mod_auth_openidc... questions.
#302483 26-Nov-2022 21:04
I have been playing with Keycloak and integration OIDC into apache to protect some parts of a test website. Mainly a learning activity more than anything else.

 

Everything was going fairly well - have managed to get OIDC auth setup for specific subdirectories on a website, it redirects and allows me to login. Then I can use php to access the $_SERVER[OIDC*] claims passed back to a page beneath that directory (or another protected directory that also has OIDC configured for).

 

There are two parts that have me confused though.

 

     

  1. How can I access the OIDC claims for a part of the website that is not using the <location> Require valid-user </location>?

     

    • The use case here is wanting to allow www.example.com to be accessible without auth, but then if you are authenticated, then I can access the OIDC claims to display specific content to you in pages written in php.
    • If I auth to example.com/subdirectory/ which is protected by OIDC auth only (no anonymous login) I am forced to login.
    • If I then browse to example.com/, I cannot access the OIDC information.
  2. What exactly is the redirect_uri for? what should it be set to? I cant seem to find a succinct answer to this question?

 

 

 

Anyone have any ideas? This stuff is reasonably fresh to me.

  #3001836 26-Nov-2022 22:00
In typical fashion, despite having tried to work it out before I posted... I found the answer to question 1. 

 

There is a specific option I need to declare in my <location> block - OIDCUnAuthAction. This Google groups page here pointed me in the right direction

 

For my mixed auth content where I want to allow anonymous as well as authenticated I need to use  "OIDCUnAuthAction pass". Then for my login location, or explicitly protected content/locations, I specify "OIDCUnAuthAction auth" which forces a login via OIDC. Once I am authenticated, my OIDC claims are passed through to be used, so I can display different content for an authenticated user.

 

 

 

<Location />

 

  AuthType openid-connect

 

  Require valid-user

 

  OIDCUnAuthAction pass

 

</Location>

 

 

 

<Location /login>

 

  AuthType openid-connect

 

  Require valid-user

 

  OIDCUnAuthAction auth

 

</Location>

 

 

 

 

