Gluu Server - OpenIDC/mod_auth_openidc GitHub Wiki

Using mod_auth_openidc with Gluu Server

The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). To learn more, read the official documentation.

Overview

Web Server filters like mod_auth_openidc are a tried and true approach to achieving single sign-on (SSO) with server-side web applications. The web server filter enforces the presence of a token in an HTTP Request. If no token is present, the Web server may re-direct the person, or return a meaningful code or message to the application.

The following provides a quick start guide for using mod_auth_openidc to secure a simple CGI application with the Gluu Server. For more detailed information, visit the official documentation.

Pre-requirements

  • A working Gluu Server. Installation guide

  • A separate server with Apache HTTPD running and SSL enabled for the sample app and mod_auth_openidc

  • All hostnames should be DNS resolvable, or entries should be added in the /etc/hosts file on both the web server and Gluu Server

Install mod_auth_openidc

mod_auth_openidc requires the Ubuntu package libjansson4. Install it using the following command:

apt-get install libjansson4

Download and install the mod_auth_openidc and libjose packages from the Release Page and then run the following commands:

  • a2enmod auth_openidc
  • service apache2 restart

Add client in Gluu

In the Gluu Server create an OpenID Connect client with at least the following values:

Client Name: mod_auth_oidc
Description: Test client to test mod_auth_oidc
Client Secret: whatever_you_want
Application Type: Web
Pre-Authorization: True
Subject Type: public
Authentication method for the Token Endpoint: client_secret_basic
Redirect Login URIs: https://[RP_hostname]/callback
Scopes: email, openid, profile
Response Types: code
Grant Types: authorization_code

For more details about creating clients in Gluu, read the docs.

Configure mod_auth_openidc

For the purpose of this tutorial, we will secure a simple CGI script with mod_auth_openidc to send authentication requests to the Gluu Server. Details for setting up the sample CGI script and mod_auth_openidc are below.

Configure CGI script

  • vim -N /usr/lib/cgi-bin/printHeaders.cgi
  • Then paste below code and save:
#!/usr/bin/python

import os

d = os.environ
k = d.keys()
k.sort()

print "Content-type: text/html\n\n"

print "<HTML><Head><TITLE>Print Env Variables</TITLE></Head><BODY>"
print "<h1>Environment Variables</H1>"
for item in k:
    print "<p><B>%s</B>: %s </p>" % (item, d[item])
print "</BODY></HTML>"

Now run the following commands:

  • chown www-data:www-data /usr/lib/cgi-bin/printHeaders.cgi
  • chmod ug+x /usr/lib/cgi-bin/printHeaders.cgi
  • a2enmod cgid

Configure Apache VirtualHost

Configure mod_auth_openidc to protect the resource

  • vim -N /etc/apache2/sites-available/default-ssl.conf
  • Add the following details, substituting your values in placeholders below:
....
....
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown


OIDCProviderMetadataURL https://[your_gluu_hostname]/.well-known/openid-configuration
OIDCClientID inum_of_your_client
OIDCClientSecret your_client_secret
OIDCResponseType code
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCSSLValidateServer Off
OIDCProviderIssuer https://[Gluu_server_hostname]
OIDCRedirectURI https://[RP_hostname]/callback
OIDCCryptoPassphrase something_you_want
<Location "/">
    Require valid-user
    AuthType openid-connect
</Location>

    </VirtualHost>
    ...
.....
....

  • Restart apache2

Test SSO

Hit https://[rp_hostname]/cgi-bin/printHeaders.cgi and it should redirect to the Gluu Server for authentication. After successful authentication, a page displaying the RPs "Environment Variables" should be presented.

Support

Gluu offers VIP and community support via its support portal. If you have questions or need help, just register and open an issue.

⚠️ **GitHub.com Fallback** ⚠️