Difference between revisions of "OC5:Apache mod auth openidc"

From OSIS Open Source Identity Systems
Jump to: navigation, search
(Added Apache mod_oidc)
 
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{DT Article|index=}}
 
{{DT Article|index=}}
== Apache mod_oidc ==
+
== Apache mod_auth_openidc ==
 
{{OC5 Solution
 
{{OC5 Solution
   |name              = Apache mod_oidc
+
   |name              = Apache mod_auth_openidc
   |identifier        = modoidc
+
   |identifier        = modauthopenidc
   |summary          = OpenID Connect authentication/authorization module for Apache 2.x.  mod_oidc is an Apache authentication/authorization module that allows an Apache server to operate as an OpenID Connect Relying Party, i.e. requires users to authenticate to the Apache hosted content through an external OpenID Connect Identity Provider using the OpenID Connect Basic Client profile (cq. a backchannel flow aka. "code" flow).
+
   |summary          = This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or an OAuth 2.0 Resource Server.  
  |homepage          =
+
 
  |instructions      = Run "make install" from the top level directory to leverage the Apache "apxs" tool to compile and install the module in your Apache environment. Sample config for Google Apps: LoadModule oidc_module modules/mod_oidc.so    OIDCClientID <your-client-id-administered-through-the-google-api-console>    OIDCClientSecret <your-client-secret-administered-through-the-google-api-console>    OIDCIssuer accounts.google.com    OIDCAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?hd=<your-domain>&approval_prompt=force    OIDCRedirectURI https://localhost/example OIDCTokenEndpoint https://accounts.google.com/o/oauth2/token    OIDCCryptoPassphrase <some-generated-password> OIDCUserInfoEndpoint https://www.googleapis.com/oauth2/v3/userinfo    OIDCScope "openid email profile"        <Location /example/>        Authtype openid-connect        require valid-user    </Location>
+
It supports OP Discovery, Dynamic Client Registration, Session Management (draft 22), 3rd-party Initiated Login, (Access) Token Refresh, OAuth 2.0 Form Post Response Mode and Token Introspection (draft 05).
  |latestversion    =
+
In addition it supports OP initiated login as defined in: https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state
 +
 
 +
Flow support (all): "code","id_token","id_token token","code id_token","code token","code id_token token"
 +
 
 +
JWS support (all): RS256,RS384,RS512,PS256,PS384,PS512,HS256,HS384,HS512,ES256,ES384,ES512,none
 +
 
 +
JWE support (basic, required set for JWT): RSA1_5,A128KW,A256KW with A128CBC,HS256,A256CBC-HS512
 +
 
 +
  |homepage          =  https://github.com/pingidentity/mod_auth_openidc
 +
  |instructions      =  
 +
  |latestversion    = https://github.com/pingidentity/mod_auth_openidc/releases
 
   |latestreleasedate =  
 
   |latestreleasedate =  
 
   |solutionowner    = Hans Zandbelt
 
   |solutionowner    = Hans Zandbelt
 
   |solutionrole1    = RP
 
   |solutionrole1    = RP
   |solutionendpoint1 = https://code.google.com/p/pingfederate/source/browse/#svn%2Ftrunk%2Fmod_oidc
+
   |solutionendpoint1 = https://www.pingidentity.nl/protected/index.php
 
   |solutionrole2    =  
 
   |solutionrole2    =  
 
   |solutionendpoint2 =  
 
   |solutionendpoint2 =  

Latest revision as of 12:32, 24 February 2015

{{#vardefine:DtArticleSortKey|}}

Apache mod_auth_openidc

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Apache mod auth openidc}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Apache mod_auth_openidc|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=OC5 Solution,from={{#var:page}},namespace=OC5|copy]]  [[Special:Call/DT Articles list XML,type=OC5 Solution,title={{#var:page}},namespace=OC5|as XML]]  edit
}}
{{#if:|OC5 Solution |OC5 Solution }}   Apache mod_auth_openidc
Identifier   bgcolor={{{color}}}}}|modauthopenidc  
Description   bgcolor={{{color}}}}}|This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or an OAuth 2.0 Resource Server.

It supports OP Discovery, Dynamic Client Registration, Session Management (draft 22), 3rd-party Initiated Login, (Access) Token Refresh, OAuth 2.0 Form Post Response Mode and Token Introspection (draft 05). In addition it supports OP initiated login as defined in: https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state

Flow support (all): "code","id_token","id_token token","code id_token","code token","code id_token token"

JWS support (all): RS256,RS384,RS512,PS256,PS384,PS512,HS256,HS384,HS512,ES256,ES384,ES512,none

JWE support (basic, required set for JWT): RSA1_5,A128KW,A256KW with A128CBC,HS256,A256CBC-HS512  

Product Page   bgcolor={{{color}}}}}|https://github.com/pingidentity/mod_auth_openidc  
Project or solution logo (if different than Participant logo)   bgcolor={{{color}}}}}|
Latest Version   bgcolor={{{color}}}}}|https://github.com/pingidentity/mod_auth_openidc/releases  
Latest Release Date   bgcolor={{{color}}}}}| 
Installation/Operation Instructions   bgcolor={{{color}}}}}| 
Operated by   bgcolor={{{color}}}}}|Hans Zandbelt
Interop Roles   bgcolor={{{color}}}}}|RP {{ #if: https://www.pingidentity.nl/protected/index.php |: https://www.pingidentity.nl/protected/index.php |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  

Click here for help populating this chart.

{{ #if: RP | {{#vardefine:DtArticleSortKey|}}

OC5 RP FeatureTest List

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Apache mod auth openidc}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Apache mod_auth_openidc|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=RP_FeatureTest_List,from={{#var:page}},namespace=OC5|copy]]  [[Special:Call/DT Articles list XML,type=RP_FeatureTest_List,title={{#var:page}},namespace=OC5|as XML]]  edit
}}
{{#if:|Feature Tests for |Feature Tests for }}   Apache mod_auth_openidc
{{#if:|Relying Party Features |Relying Party Features }}    
{{#if:|Response Type & Response Mode|Response Type & Response Mode}}    
Can Make Request with code Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-code-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Request with id_token Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-id_token-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Request with id_token token Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-id_token-token-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use Self-Issued OP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-selfissued-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Request with form_post Response Mode   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rmod-form-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|ID Token|ID Token}}    
Rejects ID Token with Invalid Audience   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-aud-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects Incorrect at_hash when Implicit Flow Used   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-hash-badat-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects Incorrect c_hash when Code Flow Used   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-hash-badc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Reject Invalid Asymmetric ID Token Signature   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-rs256-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Unsecured ID Token Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-uns-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Reject Invalid Symmetric ID Token Signature   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-hs256-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use Elliptic Curve ID Token Signatures   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-ec-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Signed and Encrypted ID Token Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-signenc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|UserInfo Endpoint|UserInfo Endpoint}}    
Accesses UserInfo Endpoint with Header Method   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-hdr-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Does Not Access UserInfo Endpoint with Query Parameter Method   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-not-query-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects UserInfo with Invalid Subject   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-userinfo-sub-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Signed UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-sign-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Encrypted UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Signed and Encrypted UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-signenc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|scope Request Parameter|scope Request Parameter}}    
Requesting UserInfo Claims with scope Values   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-scope-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Client Authentication|Client Authentication}}    
Can Make Access Token Request with client_secret_basic Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-csbasic-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Access Token Request with client_secret_post Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-cspost-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Access Token Request with private_key_jwt Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-pkjwt-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Access Token Request with client_secret_jwt Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-csjwt-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Discovery|Discovery}}    
Uses WebFinger Discovery   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-discovery-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Discover Identifiers using E-Mail Syntax   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ids-email-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Discover Identifiers using URL Syntax   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ids-url-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Uses openid-configuration Discovery Information   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-disc-config-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects Discovered issuer Not Matching openid-configuration Path Prefix   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-disc-issuer-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects ID Token with iss Not Matching Discovered issuer   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-iss-issuer-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Uses Keys Discovered with jwks_uri Value   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-keys-jwks_uri-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Dynamic Client Registration|Dynamic Client Registration}}    
Uses Dynamic Registration   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-registration-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Key Rollover|Key Rollover}}    
Support OP Signing Key Rollover   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-op-sig-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Rollover RP Signing Key   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-rp-sig-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Support OP Encryption Key Rollover   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-op-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Rollover RP Encryption Key   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-rp-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|request_uri Request Parameter|request_uri Request Parameter}}    
Can Use request_uri Request Parameter with Unsecured Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-uns-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Signed Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-sig-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Encrypted Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Signed and Encrypted Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-sigenc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|claims Request Parameter|claims Request Parameter}}    
Requesting UserInfo Claims with claims Request Parameter   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-reqobj-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Claims in id_token   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-idt-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Third Party Initiated Login|Third Party Initiated Login}}    
Support Third-Party Initiated Login   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-3rd-login-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Claim Types|Claim Types}}    
Uses Aggregated Claims   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-aggreg-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Uses Distributed Claims   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-dist-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Session Management|Session Management}}    
Logout Initiated by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-logout-init-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Logout Received by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-logout-received-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
State Change Other than Logout Received by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-change-received-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}


|

}}

{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 FeatureTest List

Template:OC5 FeatureTest List | }}

{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 FeatureTest List

Template:OC5 FeatureTest List | }}


{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 Feature Test List

Template:OC5 Feature Test List | }} {{ #if: RP | | }} {{ #if: | | }} {{ #if: | | }} {{ #if: | | }}