Difference between revisions of "OC5:Apache mod auth openidc"

From OSIS Open Source Identity Systems
Jump to: navigation, search
(Added Apache mod_oidc)
 
(Apache mod_oidc)
Line 4: Line 4:
 
   |name              = Apache mod_oidc
 
   |name              = Apache mod_oidc
 
   |identifier        = modoidc
 
   |identifier        = modoidc
   |summary          = OpenID Connect authentication/authorization module for Apache 2.x. mod_oidc is an Apache authentication/authorization module that allows an Apache server to operate as an OpenID Connect Relying Party, i.e. requires users to authenticate to the Apache hosted content through an external OpenID Connect Identity Provider using the OpenID Connect Basic Client profile (cq. a backchannel flow aka. "code" flow).
+
   |summary          =  mod_oidc is an Apache authentication/authorization module that allows an Apache server to operate as an OpenID Connect Relying Party.
 +
 
 +
It requires users to authenticate at an external OpenID Connect Identity Provider using the OpenID Connect Basic Client profile.
 +
 
 +
It sets the REMOTE_USER variable to the id_token sub claim, other id_token claims are passed in HTTP headers, together with those (optionally) obtained from the user info endpoint
 +
 
 +
It allows for authorization rules (based on Requires primitive) that can do matching against the set of claims provided in the id_token/userinfo.
 +
 
 +
It supports multiple OpenID Connect Providers by reading provider metadata files from a metadata directory.  
 +
 
 +
It supports OpenID Connect Dynamic Client Registration and OpenID Provider Discovery through account names.
 
   |homepage          =  
 
   |homepage          =  
   |instructions      = Run "make install" from the top level directory to leverage the Apache "apxs" tool to compile and install the module in your Apache environment. Sample config for Google Apps: LoadModule oidc_module modules/mod_oidc.so    OIDCClientID <your-client-id-administered-through-the-google-api-console>    OIDCClientSecret <your-client-secret-administered-through-the-google-api-console>    OIDCIssuer accounts.google.com    OIDCAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?hd=<your-domain>&approval_prompt=force    OIDCRedirectURI https://localhost/example OIDCTokenEndpoint https://accounts.google.com/o/oauth2/token    OIDCCryptoPassphrase <some-generated-password> OIDCUserInfoEndpoint https://www.googleapis.com/oauth2/v3/userinfo    OIDCScope "openid email profile"        <Location /example/>        Authtype openid-connect        require valid-user    </Location>
+
   |instructions      = Checkout the code from: https://code.google.com/p/pingfederate/source/checkout
  |latestversion    =
+
 
 +
Run "make install" from the top level directory to leverage the Apache "apxs" tool to compile and install the module in your Apache environment.
 +
 
 +
Configure it following the README at: https://code.google.com/p/pingfederate/source/browse/trunk/mod_oidc/README
 +
  |latestversion    = https://code.google.com/p/pingfederate/source/browse/trunk/mod_oidc/ChangeLog
 
   |latestreleasedate =  
 
   |latestreleasedate =  
 
   |solutionowner    = Hans Zandbelt
 
   |solutionowner    = Hans Zandbelt

Revision as of 07:22, 16 January 2014

{{#vardefine:DtArticleSortKey|}}

Apache mod_oidc

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Apache mod auth openidc}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Apache mod_oidc|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=OC5 Solution,from={{#var:page}},namespace=OC5|copy]]  [[Special:Call/DT Articles list XML,type=OC5 Solution,title={{#var:page}},namespace=OC5|as XML]]  edit
}}
{{#if:|OC5 Solution |OC5 Solution }}   Apache mod_oidc
Identifier   bgcolor={{{color}}}}}|modoidc  
Description   bgcolor={{{color}}}}}|mod_oidc is an Apache authentication/authorization module that allows an Apache server to operate as an OpenID Connect Relying Party.

It requires users to authenticate at an external OpenID Connect Identity Provider using the OpenID Connect Basic Client profile.

It sets the REMOTE_USER variable to the id_token sub claim, other id_token claims are passed in HTTP headers, together with those (optionally) obtained from the user info endpoint

It allows for authorization rules (based on Requires primitive) that can do matching against the set of claims provided in the id_token/userinfo.

It supports multiple OpenID Connect Providers by reading provider metadata files from a metadata directory.

It supports OpenID Connect Dynamic Client Registration and OpenID Provider Discovery through account names.  

Product Page   bgcolor={{{color}}}}}| 
Project or solution logo (if different than Participant logo)   bgcolor={{{color}}}}}|
Latest Version   bgcolor={{{color}}}}}|https://code.google.com/p/pingfederate/source/browse/trunk/mod_oidc/ChangeLog  
Latest Release Date   bgcolor={{{color}}}}}| 
Installation/Operation Instructions   bgcolor={{{color}}}}}|Checkout the code from: https://code.google.com/p/pingfederate/source/checkout

Run "make install" from the top level directory to leverage the Apache "apxs" tool to compile and install the module in your Apache environment.

Configure it following the README at: https://code.google.com/p/pingfederate/source/browse/trunk/mod_oidc/README  

Operated by   bgcolor={{{color}}}}}|Hans Zandbelt
Interop Roles   bgcolor={{{color}}}}}|RP {{ #if: https://code.google.com/p/pingfederate/source/browse/#svn%2Ftrunk%2Fmod_oidc |: https://code.google.com/p/pingfederate/source/browse/#svn%2Ftrunk%2Fmod_oidc |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  

Click here for help populating this chart.

{{ #if: RP | {{#vardefine:DtArticleSortKey|}}

OC5 RP FeatureTest List

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Apache mod auth openidc}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Apache mod_oidc|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=RP_FeatureTest_List,from={{#var:page}},namespace=OC5|copy]]  [[Special:Call/DT Articles list XML,type=RP_FeatureTest_List,title={{#var:page}},namespace=OC5|as XML]]  edit
}}
{{#if:|Feature Tests for |Feature Tests for }}   Apache mod_oidc
{{#if:|Relying Party Features |Relying Party Features }}    
{{#if:|Response Type & Response Mode|Response Type & Response Mode}}    
Can Make Request with code Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-code-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Make Request with id_token Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-id_token-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Make Request with id_token token Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-id_token-token-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Use Self-Issued OP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-selfissued-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Make Request with form_post Response Mode   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rmod-form-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|ID Token|ID Token}}    
Rejects ID Token with Invalid Audience   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-aud-x-Apache mod_oidc |noresultsheader = Not Tested }}
Rejects Incorrect at_hash when Implicit Flow Used   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-hash-badat-x-Apache mod_oidc |noresultsheader = Not Tested }}
Rejects Incorrect c_hash when Code Flow Used   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-hash-badc-x-Apache mod_oidc |noresultsheader = Not Tested }}
Reject Invalid Asymmetric ID Token Signature   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-rs256-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Request and Use Unsecured ID Token Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-uns-x-Apache mod_oidc |noresultsheader = Not Tested }}
Reject Invalid Symmetric ID Token Signature   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-hs256-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Use Elliptic Curve ID Token Signatures   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-ec-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Request and Use Signed and Encrypted ID Token Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-signenc-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|UserInfo Endpoint|UserInfo Endpoint}}    
Accesses UserInfo Endpoint with Header Method   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-hdr-x-Apache mod_oidc |noresultsheader = Not Tested }}
Does Not Access UserInfo Endpoint with Query Parameter Method   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-not-query-x-Apache mod_oidc |noresultsheader = Not Tested }}
Rejects UserInfo with Invalid Subject   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-userinfo-sub-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Request and Use Signed UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-sign-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Request and Use Encrypted UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-enc-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Request and Use Signed and Encrypted UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-signenc-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|scope Request Parameter|scope Request Parameter}}    
Requesting UserInfo Claims with scope Values   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-scope-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Client Authentication|Client Authentication}}    
Can Make Access Token Request with client_secret_basic Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-csbasic-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Make Access Token Request with client_secret_post Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-cspost-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Make Access Token Request with private_key_jwt Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-pkjwt-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Make Access Token Request with client_secret_jwt Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-csjwt-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Discovery|Discovery}}    
Uses WebFinger Discovery   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-discovery-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Discover Identifiers using E-Mail Syntax   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ids-email-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Discover Identifiers using URL Syntax   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ids-url-x-Apache mod_oidc |noresultsheader = Not Tested }}
Uses openid-configuration Discovery Information   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-disc-config-x-Apache mod_oidc |noresultsheader = Not Tested }}
Rejects Discovered issuer Not Matching openid-configuration Path Prefix   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-disc-issuer-x-Apache mod_oidc |noresultsheader = Not Tested }}
Rejects ID Token with iss Not Matching Discovered issuer   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-iss-issuer-x-Apache mod_oidc |noresultsheader = Not Tested }}
Uses Keys Discovered with jwks_uri Value   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-keys-jwks_uri-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Dynamic Client Registration|Dynamic Client Registration}}    
Uses Dynamic Registration   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-registration-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Key Rollover|Key Rollover}}    
Support OP Signing Key Rollover   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-op-sig-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Rollover RP Signing Key   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-rp-sig-x-Apache mod_oidc |noresultsheader = Not Tested }}
Support OP Encryption Key Rollover   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-op-enc-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Rollover RP Encryption Key   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-rp-enc-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|request_uri Request Parameter|request_uri Request Parameter}}    
Can Use request_uri Request Parameter with Unsecured Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-uns-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Signed Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-sig-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Encrypted Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-enc-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Signed and Encrypted Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-sigenc-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|claims Request Parameter|claims Request Parameter}}    
Requesting UserInfo Claims with claims Request Parameter   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-reqobj-x-Apache mod_oidc |noresultsheader = Not Tested }}
Can Request and Use Claims in id_token   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-idt-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Third Party Initiated Login|Third Party Initiated Login}}    
Support Third-Party Initiated Login   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-3rd-login-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Claim Types|Claim Types}}    
Uses Aggregated Claims   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-aggreg-x-Apache mod_oidc |noresultsheader = Not Tested }}
Uses Distributed Claims   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-dist-x-Apache mod_oidc |noresultsheader = Not Tested }}
{{#if:|Session Management|Session Management}}    
Logout Initiated by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-logout-init-x-Apache mod_oidc |noresultsheader = Not Tested }}
Logout Received by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-logout-received-x-Apache mod_oidc |noresultsheader = Not Tested }}
State Change Other than Logout Received by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-change-received-x-Apache mod_oidc |noresultsheader = Not Tested }}


|

}}

{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 FeatureTest List

Template:OC5 FeatureTest List | }}

{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 FeatureTest List

Template:OC5 FeatureTest List | }}


{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 Feature Test List

Template:OC5 Feature Test List | }} {{ #if: RP | | }} {{ #if: | | }} {{ #if: | | }} {{ #if: | | }}