mod_auth_openidc  2.3.11
About: mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party (RP), authenticating users against an OpenID Connect Provider (OP). It can also function as an OAuth 2.0 Resource Server.
  Fossies Dox: mod_auth_openidc-2.3.11.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

Some Fossies usage hints in advance:

  1. To see the Doxygen generated documentation please click on one of the items in the "quick index" bar above or use the side panel at the left which displays a hierarchical tree-like index structure and is adjustable in width.
  2. If you want to search for something by keyword rather than browse for it you can use the client side search facility (using Javascript and DHTML) that provides live searching, i.e. the search results are presented and adapted as you type in the Search input field at the top right.
  3. Doxygen doesn't incorporate all member files but just a definable subset (basically the main project source code files that are written in a supported language). So to search and browse all member files you may visit the Fossies mod_auth_openidc-2.3.11.tar.gz contents page and use the Fossies standard member browsing features (also with source code highlighting and additionally with optional code folding).
mod_auth_openidc Documentation

Build Status OpenID Certification Code Quality: Cpp Total Alerts

mod_auth_openidc

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. It can also function as an OAuth 2.0 Resource Server, validating OAuth 2.0 bearer access tokens presented by OAuth 2.0 Clients.

Overview

This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party (RP) to an OpenID Connect Provider (OP). It authenticates users against an OpenID Connect Provider, receives user identity information from the OP in a so called ID Token and passes on the identity information (a.k.a. claims) in the ID Token to applications hosted and protected by the Apache web server.

It can also be configured as an OAuth 2.0 Resource Server (RS), consuming bearer access tokens and validating them against an OAuth 2.0 Authorization Server, authorizing Clients based on the validation results.

The protected content and/or applications can be served by the Apache server itself or it can be served from elsewhere when Apache is configured as a Reverse Proxy in front of the origin server(s).

By default the module sets the REMOTE_USER variable to the id_token [sub] claim, concatenated with the OP's Issuer identifier ([sub]@[iss]). Other id_token claims are passed in HTTP headers and/or environment variables together with those (optionally) obtained from the UserInfo endpoint.

It allows for authorization rules (based on standard Apache Require primitives) that can be matched against the set of claims provided in the id_token/ userinfo claims.

mod_auth_openidc supports the following specifications:

Alternatively the module can operate as an OAuth 2.0 Resource Server to an OAuth 2.0 Authorization Server, validating bearer Access Tokens by introspecting them or verifying them locally if they are JWTs. In the OAuth 2.0 Resource Server mode mod_auth_openidc supports the following specifications:

The REMOTE_USER variable setting, passing claims in HTTP headers and authorization based on Require primitives works in the same way as described for OpenID Connect above. See the Wiki for information on how to configure it.

For an exhaustive description of all configuration options, see the file auth_openidc.conf in this directory. This file can also serve as an include file for httpd.conf.

Support