{"id":8376,"date":"2021-11-06T13:40:34","date_gmt":"2021-11-06T18:40:34","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8376"},"modified":"2024-03-18T11:07:54","modified_gmt":"2024-03-18T16:07:54","slug":"sso-in-apache-httpd-oauth2","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8376","title":{"rendered":"SSO In Apache HTTPD – OAuth2"},"content":{"rendered":"

PingID is another external authentication source that looks to be replacing ADFS at work in the not-too-distant future. Unfortunately, I\u2019ve not been able to get anyone to set up the \u201cother side\u201d of this authentication method \u2026 so the documentation is untested. There is an Apache Integration Kit available from PingID (https:\/\/www.pingidentity.com\/en\/resources\/downloads\/pingfederate.html<\/a>). Documentation for setup is located at https:\/\/docs.pingidentity.com\/bundle\/pingfederate-apache-linux-ik\/page\/kxu1563994990311.html<\/a><\/p>\n

Alternately, you can use OAuth2 through Apache HTTPD to authenticate users against PingID. To set up OAuth, you\u2019ll need the mod_auth_openidc module<\/a> (this is also available from the RedHat dnf repository). You\u2019ll also need the client ID and secret that make up the OAuth2 client credentials. The full set of configuration parameters used in \/etc\/httpd\/conf.d\/auth_openidc.conf (or added to individual site-httpd.conf files) can be found at https:\/\/github.com\/zmartzone\/mod_auth_openidc\/blob\/master\/auth_openidc.conf<\/a><\/p>\n

As I am not able to register to use PingID, I am using an alternate OAUTH2 provider for authentication. The general idea should be the same for PingID \u2013 get the metadata URL, client ID, and secret added to the oidc configuration.<\/p>\n

Setting up Google OAuth Client:<\/em><\/strong><\/p>\n

Register OAuth on Google Cloud Platform (https:\/\/console.cloud.google.com\/<\/a>) \u2013 Under \u201cAPI & Services\u201d, select \u201cOAuth Consent Screen\u201d. Build a testing app \u2013 you can use URLs that don\u2019t go anywhere interesting, but if you want to publish the app for real usage, you\u2019ll need real stuff. <\/em><\/p>\n

Under \u201cAPI & Services\u201d, select \u201cCredentials\u201d. Select \u201cCreate Credentials\u201d and select \u201cOAuth Client ID\u201d<\/p>\n

Select the application type \u201cWeb application\u201d and provide a name for the connection<\/p>\n

<\/p>\n

You don\u2019t need any authorized JS origins. Add the authorized redirect URI(s) appropriate for your host. In this case, the internal URI is my docker host, off port on 7443. The generally used URI is my reverse proxy server. I\u2019ve had redirect URI mismatch errors when the authorized URIs don\u2019t both include and exclude the trailing slash. Click \u201cCreate\u201d to complete the operation.<\/p>\n

<\/p>\n

<\/p>\n

You\u2019ll see a client ID and secret \u2013 stash those as we\u2019ll need to drop them into the openidc config file. Click \u201cOK\u201d and we\u2019re ready to set up the web server.<\/p>\n

\"\"<\/a><\/p>\n

Setting Up Apache HTTPD to use mod_auth_openidc<\/em><\/strong><\/p>\n

Clone the mod_auth_openidc repo (https:\/\/github.com\/zmartzone\/mod_auth_openidc.git<\/a>) \u2013 I made one change to the Dockerfile. I\u2019ve seen general guidance that using ENV to set DEBIAN_FRONTEND to noninteractive is not ideal, so I replaced that line with the transient form of the directive:<\/p>\n

ARG DEBIAN_FRONTEND=noninteractive<\/p>\n

I also changed the index.php file to<\/p>\n

RUN echo \"<html><head><title>Sample OAUTH Site<\/title><head><body><?php print $_SERVER['OIDC_CLAIM_email'] ; ?><pre><?php print_r(array_map(\\\"htmlentities\\\", apache_request_headers())); ?><\/pre><a href=\\\"\/protected\/?logout=https%3A%2F%2Fwww.rushworth.us%2Floggedout.html\\\">Logout<\/a><\/body><\/html>\" > \/var\/www\/html\/protected\/index.php<\/pre>\n
Build an image:<\/p>\n
docker build -t openidc:latest .<\/pre>\n
Create an openidc.conf file on your file system. We\u2019ll bind this file into the container so our<\/em> config is in place instead of the default one. In my example, I have created \u201c\/opt\/openidc.conf\u201d. File content included below (although you\u2019ll need to use your<\/em> client ID and secret and your hostname). I\u2019ve added a few claims so we have access to the name and email address (email address is the logon ID)<\/p>\n
Then run a container using the image. My sandbox is fronted by a reverse proxy, so the port used doesn\u2019t have to be well known.<\/p>\n
docker run --name openidc -p 7443:443 -v \/opt\/openidc.conf:\/etc\/apache2\/conf-available\/openidc.conf -it openidc \/bin\/bash -c \"source \/etc\/apache2\/envvars && valgrind --leak-check=full \/usr\/sbin\/apache2 -X\"<\/pre>\n
* In my case, the docker host is not publicly available. I\u2019ve also added the following lines to the reverse proxy at www.rushworth.us<\/a><\/p>\n
ProxyPass \/protected https:\/\/docker.rushworth.us:7443\/protected\r\nProxyPassReverse \/protected https:\/\/docker.rushworth.us:7443\/protected<\/pre>\n
Access https:\/\/www.rushworth.us\/protected\/index.php<\/a> (I haven\u2019t published my app for Google\u2019s review, so it\u2019s locked down to use by registered accounts only \u2026 at this time, that\u2019s only my ID. I can register others too.) You\u2019ll be bounced over to Google to provide authentication, then handed back to my web server.<\/p>\n
<\/p>\n
We can then use the OIDC_CLAIM_email — $_SERVER[‘OIDC_CLAIM_email’] \u2013 to continue in-application authorization steps (if needed).<\/p>\n
openidc.conf content:<\/p>\n
LogLevel auth_openidc:debug\r\n\r\nLoadModule auth_openidc_module \/usr\/lib\/apache2\/modules\/mod_auth_openidc.so\r\n\r\nOIDCSSLValidateServer On\r\n\r\nOIDCProviderMetadataURL https:\/\/accounts.google.com\/.well-known\/openid-configuration\r\nOIDCClientID uuid-thing.apps.googleusercontent.com\r\nOIDCClientSecret uuid-thingU4W\r\n\r\nOIDCCryptoPassphrase S0m3S3cr3tPhrA53\r\nOIDCRedirectURI https:\/\/www.rushworth.us\/protected\r\nOIDCAuthNHeader X-LJR-AuthedUser\r\nOIDCScope \"openid email profile\"\r\n\r\n<Location \/protected>\r\n     AuthType openid-connect\r\n     Require valid-user\r\n<\/Location>\r\n\r\nOIDCOAuthSSLValidateServer On\r\nOIDCOAuthRemoteUserClaim Username\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
PingID is another external authentication source that looks to be replacing ADFS at work in the not-too-distant future. Unfortunately, I\u2019ve not been able to get anyone to set up the \u201cother side\u201d of this authentication method \u2026 so the documentation is untested. There is an Apache Integration Kit available from PingID (https:\/\/www.pingidentity.com\/en\/resources\/downloads\/pingfederate.html). Documentation for setup …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[1122,1490,1488,1489,326],"class_list":["post-8376","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-apache-httpd","tag-auth_mod_openidc","tag-oauth","tag-oauth2","tag-sso"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8376"}],"version-history":[{"count":6,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8376\/revisions"}],"predecessor-version":[{"id":10791,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8376\/revisions\/10791"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}