Curity Identity Server - OpenIDC/mod_auth_openidc GitHub Wiki
Integration Curity Identity Server with the Apache mod_auth_openidc module
Curity Identity Server provides centralized, secure and flexile authentication that enables SSO and MFA.
OAuth and OpenID Connect enables the use of tokens, scopes and claims in order to achieve a powerful and flexible authorization system for applications and APIs.
In addition to that a standardized SCIM API can be exposed to simplify access to legacy data sources for user management.
Overview
This is a quickstart guide that outlines the configuration details for integrating the Apache mod_auth_openidc module with the Curity Identity Server for authentication and access control of applications hosted in the Apache server.
A protected location is configured in the mod_auth_openidc module that enforces the presence of an access token. If no token is available the configuration will trigger a redirect to the Curity Identity Server where a token is issued after a successful authentication.
Configure Curity Identity Server
An installation of the Curity Identity Server is required and the rest of this guide assumes that the Curity Basic Setup Wizard has been completed.
Configure a client
- Log in to the Curity Admin UI (https://idsvr.example.com:6749/admin)
- Go to Profile -> Token Service -> Clients (left side menu) -> Click New Client
- Give it a name, for example
mod-auth-client
then click Create - In the Capabilities section, click Add capabilities
- Choose
Code Flow
and click Next - Add the redirect URI of the application that is to be protected running in the Apache instance, ex https://apache-host/protected
- Set a
Client Authentication
method. In this guideSecret
will be used. Chose secret from the drop down menu and add a Secret that will later be used in the mod_auth_openidc module configuration - Click next and select Authenticator
- In the
OAuth/OpenID Settings
section, select and add theopenidc
scope from the drop-down menu - Make sure to commit the changes
This tutorial describing the configuration of the Code Flow is also a good resource.
Optionally, configure an Authenticator
- Log in to the Curity Admin UI (https://idsvr.example.com:6749/admin)
- Go to Profile -> Authentication Service -> Authenticators (left side menu) -> New Authenticator
- Give the authenticator a name (html). In this example we will use an
HTML Form
authenticator, select that option and click next. Note that other types of authenticators could be used also. - Choose a
Credentials Manager
and optionally anAccount Manager
- Make sure to commit the changes
More details on configuring an Authenticator in Curity is outlined in this tutorial, Setup a Username Authenticator.
Configure the mod_auth_openidc module
Install Apache httpd with the mod_auth_openidc module according to the documentation. The readme is a good start.
auth_openidc.conf
example snippet
OIDCRedirectURI /protected
OIDCCryptoPassphrase MyPa$$phrase
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
If a Metadata URL is not used the needed URLs can be configured manually:
OIDCProviderIssuer https://idsvr.example.com
OIDCProviderAuthorizationEndpoint https://idsvr.example.com/oauth/v2/oauth-authorize
OIDCProviderTokenEndpoint https://idsvr.example.com/oauth/v2/oauth-token
openidc.conf
example snippet
OIDCProviderMetadataURL https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration
OIDCRedirectURI /protected
OIDCClientID mod-auth-client
OIDCClientSecret MyPa$$w0rd
OIDCCryptoPassphrase MyPa$$phrase
Questions?
For questions and comments, contact Curity.