OC5:Apache mod auth openidc

From OSIS Open Source Identity Systems
Revision as of 12:54, 27 March 2014 by Zandbelt (Talk | contribs)

Jump to: navigation, search

{{#vardefine:DtArticleSortKey|}}

Apache mod_auth_openidc

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Apache mod auth openidc}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Apache mod_auth_openidc|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=OC5 Solution,from={{#var:page}},namespace=OC5|copy]]  [[Special:Call/DT Articles list XML,type=OC5 Solution,title={{#var:page}},namespace=OC5|as XML]]  edit
}}
{{#if:|OC5 Solution |OC5 Solution }}   Apache mod_auth_openidc
Identifier   bgcolor={{{color}}}}}|modauthopenidc  
Description   bgcolor={{{color}}}}}|mod_auth_openidc is an Apache authentication/authorization module that allows an Apache server to operate as an OpenID Connect Relying Party.

It requires users to authenticate at an external OpenID Connect Identity Provider using the OpenID Connect Basic Client Profile or Implicit Client Profile.

It sets the REMOTE_USER variable to the id_token sub claim, other id_token claims are passed in HTTP headers, together with those (optionally) obtained from the user info endpoint

It allows for authorization rules (based on Requires primitive) that can do matching against the set of claims provided in the id_token/userinfo.

It supports multiple OpenID Connect Providers by reading provider metadata files from a metadata directory.

It supports OpenID Connect Dynamic Client Registration and OpenID Provider Discovery through account names.  

Product Page   bgcolor={{{color}}}}}|https://github.com/pingidentity/mod_auth_openidc  
Project or solution logo (if different than Participant logo)   bgcolor={{{color}}}}}|
Latest Version   bgcolor={{{color}}}}}|1.0  
Latest Release Date   bgcolor={{{color}}}}}|March 27, 2014  
Installation/Operation Instructions   bgcolor={{{color}}}}}| 
Operated by   bgcolor={{{color}}}}}|Hans Zandbelt
Interop Roles   bgcolor={{{color}}}}}|RP {{ #if: https://www.pingidentity.nl/protected/index.php |: https://www.pingidentity.nl/protected/index.php |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  
  bgcolor={{{color}}}}}|{{ #if: |: |}}  

Click here for help populating this chart.

{{ #if: RP | {{#vardefine:DtArticleSortKey|}}

OC5 RP FeatureTest List

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|Apache mod auth openidc}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:Apache mod_auth_openidc|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=RP_FeatureTest_List,from={{#var:page}},namespace=OC5|copy]]  [[Special:Call/DT Articles list XML,type=RP_FeatureTest_List,title={{#var:page}},namespace=OC5|as XML]]  edit
}}
{{#if:|Feature Tests for |Feature Tests for }}   Apache mod_auth_openidc
{{#if:|Relying Party Features |Relying Party Features }}    
{{#if:|Response Type & Response Mode|Response Type & Response Mode}}    
Can Make Request with code Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-code-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Request with id_token Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-id_token-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Request with id_token token Response Type   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rtyp-id_token-token-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use Self-Issued OP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-selfissued-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Request with form_post Response Mode   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-rmod-form-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|ID Token|ID Token}}    
Rejects ID Token with Invalid Audience   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-aud-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects Incorrect at_hash when Implicit Flow Used   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-hash-badat-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects Incorrect c_hash when Code Flow Used   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-hash-badc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Reject Invalid Asymmetric ID Token Signature   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-rs256-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Unsecured ID Token Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-uns-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Reject Invalid Symmetric ID Token Signature   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-hs256-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use Elliptic Curve ID Token Signatures   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-ec-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Signed and Encrypted ID Token Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-idt-signenc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|UserInfo Endpoint|UserInfo Endpoint}}    
Accesses UserInfo Endpoint with Header Method   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-hdr-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Does Not Access UserInfo Endpoint with Query Parameter Method   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-not-query-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects UserInfo with Invalid Subject   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-userinfo-sub-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Signed UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-sign-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Encrypted UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Signed and Encrypted UserInfo Response   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ui-signenc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|scope Request Parameter|scope Request Parameter}}    
Requesting UserInfo Claims with scope Values   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-scope-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Client Authentication|Client Authentication}}    
Can Make Access Token Request with client_secret_basic Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-csbasic-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Access Token Request with client_secret_post Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-cspost-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Access Token Request with private_key_jwt Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-pkjwt-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Make Access Token Request with client_secret_jwt Authentication   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-tok-csjwt-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Discovery|Discovery}}    
Uses WebFinger Discovery   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-discovery-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Discover Identifiers using E-Mail Syntax   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ids-email-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Discover Identifiers using URL Syntax   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ids-url-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Uses openid-configuration Discovery Information   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-disc-config-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects Discovered issuer Not Matching openid-configuration Path Prefix   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-disc-issuer-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Rejects ID Token with iss Not Matching Discovered issuer   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-bad-iss-issuer-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Uses Keys Discovered with jwks_uri Value   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-keys-jwks_uri-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Dynamic Client Registration|Dynamic Client Registration}}    
Uses Dynamic Registration   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-registration-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Key Rollover|Key Rollover}}    
Support OP Signing Key Rollover   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-op-sig-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Rollover RP Signing Key   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-rp-sig-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Support OP Encryption Key Rollover   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-op-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Rollover RP Encryption Key   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-roll-rp-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|request_uri Request Parameter|request_uri Request Parameter}}    
Can Use request_uri Request Parameter with Unsecured Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-uns-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Signed Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-sig-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Encrypted Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-enc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Use request_uri Request Parameter with Signed and Encrypted Request   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-ruri-sigenc-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|claims Request Parameter|claims Request Parameter}}    
Requesting UserInfo Claims with claims Request Parameter   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-reqobj-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Can Request and Use Claims in id_token   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-idt-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Third Party Initiated Login|Third Party Initiated Login}}    
Support Third-Party Initiated Login   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-3rd-login-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Claim Types|Claim Types}}    
Uses Aggregated Claims   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-aggreg-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Uses Distributed Claims   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-clm-dist-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
{{#if:|Session Management|Session Management}}    
Logout Initiated by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-logout-init-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
Logout Received by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-logout-received-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}
State Change Other than Logout Received by RP   bgcolor={{{color}}}}}|{{#dpl: |include = {OC5 Result}:outcome |title = OC5:FTR-rp-change-received-x-Apache mod_auth_openidc |noresultsheader = Not Tested }}


|

}}

{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 FeatureTest List

Template:OC5 FeatureTest List | }}

{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 FeatureTest List

Template:OC5 FeatureTest List | }}


{{ #if: | {{#vardefine:DtArticleSortKey|}}

OC5 Feature Test List

Template:OC5 Feature Test List | }} {{ #if: RP | | }} {{ #if: | | }} {{ #if: | | }} {{ #if: | | }}