keycloak-scim/topics/oidc/mod-auth-openidc.adoc

[[_mod_auth_openidc]]
==== mod_auth_openidc Apache HTTPD Module

The https://github.com/pingidentity/mod_auth_openidc[mod_auth_openidc] is an Apache HTTP plugin for OpenID Connect. If your language/environment supports using Apache HTTPD
as a proxy, then you can use _mod_auth_openidc_ to secure your web application with OpenID Connect.  Configuration of this module
is beyond the scope of this document.  Please see the _mod_auth_openidc_ Github repo for more details on configuration.

To configure _mod_auth_openidc_ you'll need

* The client_id.
* The client_secret.
* The redirect_uri to your application.
* The Keycloak openid-configuration url
* _mod_auth_openidc_ specific Apache HTTPD module config.

An example configuration would look like the following.

[source,xml]
----
LoadModule auth_openidc_module modules/mod_auth_openidc.so

ServerName ${HOSTIP}

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    #this is required by mod_auth_openidc
    OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer

    OIDCProviderMetadataURL ${KC_ADDR}/auth/realms/${KC_REALM}/.well-known/openid-configuration

    OIDCClientID ${CLIENT_ID}
    OIDCClientSecret ${CLIENT_SECRET}
    OIDCRedirectURI http://${HOSTIP}/${CLIENT_APP_NAME}/redirect_uri

    # maps the prefered_username claim to the REMOTE_USER environment variable 
    OIDCRemoteUserClaim preferred_username

    <Location /${CLIENT_APP_NAME}/>
        AuthType openid-connect
        Require valid-user
    </Location>
</VirtualHost>
----

Further information on how to configure mod_auth_openidc can be found on the https://github.com/pingidentity/mod_auth_openidc[mod_auth_openidc]
project page.
Fix #11: Document integration with Apache module mod_auth_openidc 2016-06-06 08:22:23 +00:00			`[[_mod_auth_openidc]]`
Fix headers in oidc chapter 2016-06-09 13:12:10 +00:00			`==== mod_auth_openidc Apache HTTPD Module`
Fix #11: Document integration with Apache module mod_auth_openidc 2016-06-06 08:22:23 +00:00
			`The https://github.com/pingidentity/mod_auth_openidc[mod_auth_openidc] is an Apache HTTP plugin for OpenID Connect. If your language/environment supports using Apache HTTPD`
			`as a proxy, then you can use _mod_auth_openidc_ to secure your web application with OpenID Connect. Configuration of this module`
			`is beyond the scope of this document. Please see the _mod_auth_openidc_ Github repo for more details on configuration.`

			`To configure _mod_auth_openidc_ you'll need`

			`* The client_id.`
			`* The client_secret.`
			`* The redirect_uri to your application.`
			`* The Keycloak openid-configuration url`
			`* _mod_auth_openidc_ specific Apache HTTPD module config.`

			`An example configuration would look like the following.`

			`[source,xml]`
			`----`
			`LoadModule auth_openidc_module modules/mod_auth_openidc.so`

			`ServerName ${HOSTIP}`

			`<VirtualHost *:80>`

			`ServerAdmin webmaster@localhost`
			`DocumentRoot /var/www/html`

			`#this is required by mod_auth_openidc`
			`OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer`

			`OIDCProviderMetadataURL ${KC_ADDR}/auth/realms/${KC_REALM}/.well-known/openid-configuration`

			`OIDCClientID ${CLIENT_ID}`
			`OIDCClientSecret ${CLIENT_SECRET}`
			`OIDCRedirectURI http://${HOSTIP}/${CLIENT_APP_NAME}/redirect_uri`

			`# maps the prefered_username claim to the REMOTE_USER environment variable`
			`OIDCRemoteUserClaim preferred_username`

			`<Location /${CLIENT_APP_NAME}/>`
			`AuthType openid-connect`
			`Require valid-user`
			`</Location>`
			`</VirtualHost>`
			`----`

			`Further information on how to configure mod_auth_openidc can be found on the https://github.com/pingidentity/mod_auth_openidc[mod_auth_openidc]`
			`project page.`