Curity Identity Server - OpenIDC/mod_auth_openidc GitHub Wiki

Integration Curity Identity Server with the Apache mod_auth_openidc module

Curity Identity Server provides centralized, secure and flexile authentication that enables SSO and MFA.

OAuth and OpenID Connect enables the use of tokens, scopes and claims in order to achieve a powerful and flexible authorization system for applications and APIs.

In addition to that a standardized SCIM API can be exposed to simplify access to legacy data sources for user management.

Overview

This is a quickstart guide that outlines the configuration details for integrating the Apache mod_auth_openidc module with the Curity Identity Server for authentication and access control of applications hosted in the Apache server.

A protected location is configured in the mod_auth_openidc module that enforces the presence of an access token. If no token is available the configuration will trigger a redirect to the Curity Identity Server where a token is issued after a successful authentication.

Configure Curity Identity Server

An installation of the Curity Identity Server is required and the rest of this guide assumes that the Curity Basic Setup Wizard has been completed.

Configure a client

  • Log in to the Curity Admin UI (https://idsvr.example.com:6749/admin)
  • Go to Profile -> Token Service -> Clients (left side menu) -> Click New Client
  • Give it a name, for example mod-auth-client then click Create
  • In the Capabilities section, click Add capabilities
  • Choose Code Flow and click Next
  • Add the redirect URI of the application that is to be protected running in the Apache instance, ex https://apache-host/protected
  • Set a Client Authentication method. In this guide Secret will be used. Chose secret from the drop down menu and add a Secret that will later be used in the mod_auth_openidc module configuration
  • Click next and select Authenticator
  • In the OAuth/OpenID Settings section, select and add the openidc scope from the drop-down menu
  • Make sure to commit the changes

This tutorial describing the configuration of the Code Flow is also a good resource.

Optionally, configure an Authenticator

  • Log in to the Curity Admin UI (https://idsvr.example.com:6749/admin)
  • Go to Profile -> Authentication Service -> Authenticators (left side menu) -> New Authenticator
  • Give the authenticator a name (html). In this example we will use an HTML Form authenticator, select that option and click next. Note that other types of authenticators could be used also.
  • Choose a Credentials Manager and optionally an Account Manager
  • Make sure to commit the changes

More details on configuring an Authenticator in Curity is outlined in this tutorial, Setup a Username Authenticator.

Configure the mod_auth_openidc module

Install Apache httpd with the mod_auth_openidc module according to the documentation. The readme is a good start.

auth_openidc.conf example snippet

OIDCRedirectURI /protected
OIDCCryptoPassphrase MyPa$$phrase
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration

If a Metadata URL is not used the needed URLs can be configured manually:

OIDCProviderIssuer https://idsvr.example.com
OIDCProviderAuthorizationEndpoint https://idsvr.example.com/oauth/v2/oauth-authorize
OIDCProviderTokenEndpoint https://idsvr.example.com/oauth/v2/oauth-token

openidc.conf example snippet

OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCRedirectURI /protected
OIDCClientID mod-auth-client
OIDCClientSecret MyPa$$w0rd
OIDCCryptoPassphrase MyPa$$phrase

Questions?

For questions and comments, contact Curity.

[email protected] | https://curity.io