mod_auth_openidc documentation
You can read the documentation of mod_auth_openidc at https://github.com/zmartzone/mod_auth_openidc/wiki
Install mod_auth_openidc
Use the package manager of your linux distribution
Make sure that the module is enabled in your apache configuration
Register your service as an OIDC client
Read: Registering services on MyAcademicID
The redirect_uri is for your service is shown in the mod_auth_openidc configuration below
Configure the virtual host for your service
<VirtualHost *:443> OIDCProviderMetadataURL https://proxy.prod.erasmus.eduteams.org/.well-known/openid-configuration OIDCClientID <CLIENT_ID> OIDCClientSecret <CLIENT_SECRET> OIDCRedirectURI https://<SERVER_FQDN>/redirect_uri OIDCCryptoPassphrase <RANDOM-LONG_STRING> <!-- Available scopes: - openid: mandatory - email: required in order to receive the email of the user - profile: required in order to receive the name of the user - schac_personal_unique_code: required in order to receive the ESI of the user - voperson_external_affiliation: required in order to receive the affiliation of the user - schac_home_organization: required in order to receive the schacHomeOrganization of the user - eduperson_entitlement: required in order to receive user entitlements e.g. the EWP Admin role --> OIDCScope "openid email profile" <!-- The configuration of your application goes here. If you want to configure specific location to require OIDC authentication see the example below. --> <Location /<protected-resource> <!-- More information about authorization can be found here: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#1-mod_auth_openidc --> AuthType openid-connect Require valid-user </Location> </VirtualHost>
Create a target page below the /<protected-resource/ location
This example php page will read the environment variables created by the OIDC module after a successful login and display them:
<html> <body> <h1>Hello, <?php echo($_SERVER['REMOTE_USER']) ?></h1> <pre><?php print_r(array_map("htmlentities", apache_request_headers())); ?></pre> <a href="/protected/redirect_uri?logout=https%3A%2F%2Flocalhost%2Floggedout.html">Logout</a> </body> </html>