使用mod_auth_openidc

时间:2016-04-16 00:46:54

标签: apache mod-proxy mod-auth-openidc

我有一个基本的Web应用程序,它运行在apache 2.2上,并且没有任何身份验证。网站内容是静态网页。我们的小型组织目前正致力于为所有网站实施mod_auth_openidc。我想在基本的静态Web应用程序之上实现mod_auth_openidc身份验证。我怎样才能实现它。我是apache配置和mod_auth_openidc的新手。我搜索了一些文章来实现它,但我找不到任何文章。我在Oauth2服务器上为我的应用程序创建了一个静态帐户。有人能指出我如何使用mod_auth_openidc和mod_proxy配置为我的静态网页应用程序启用身份验证吗?

<Location />
   AuthType openid-connect
   Require valid-user
</Location>
OIDCProviderMetadataURL https://example.com/fss/.well-known/openid-configuration
OIDCClientID ExampleCorp_Prod_web01
OIDCClientSecret <client-secret>
OIDCRedirectURI http://<ip>/redirect_uri
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
ProxyPass /  http://<ip>:8080/ nocanon
ProxyPassReverse / http://<ip>:8080/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://<ip>:8080/*>
</Proxy>
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
LoadModule auth_openidc_module modules/mod_auth_openidc.so

1 个答案:

答案 0 :(得分:2)

Github项目页面的README中有一些例子:https://github.com/pingidentity/mod_auth_openidc。假设静态网页位于/example,在您的特定(PingFederate)示例中,它将类似于:

OIDCProviderMetadataURL https://<pingfederate-host>:9031/.well-known/openid-configuration

OIDCClientID <client-id-as-registered-with-pingfederate>
OIDCClientSecret <client-secret-as-registered-with-pingfederate>

OIDCRedirectURI https://<your-apache-host>/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCScope "openid email profile"

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

基于OP环境的完整工作示例:

Listen 80
User www
Group www
DocumentRoot /opt/local/apache2/htdocs/
ErrorLog "logs/error_log"
LogLevel info
ServerName example.org

LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_user_module   modules/mod_authz_user.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<Location />
   AuthType openid-connect
   Require valid-user
</Location>

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID myclientid
OIDCClientSecret mysecret
OIDCRedirectURI http://example.org/protected/
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /

ProxyPass /  http://192.168.10.1:80/ nocanon
ProxyPassReverse / http://192.168.10.1:80/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://192.168.10.1:8080/*>
</Proxy>

OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
相关问题
最新问题