Gluu Server - OpenIDC/mod_auth_openidc GitHub Wiki
The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). To learn more, read the official documentation.
Web Server filters like mod_auth_openidc
are a tried and true approach to achieving single sign-on (SSO) with server-side web applications. The web server filter enforces the presence of a token in an HTTP Request. If no token is present, the Web server may re-direct the person, or return a meaningful code or message to the application.
The following provides a quick start guide for using mod_auth_openidc
to secure a simple CGI application with the Gluu Server. For more detailed information, visit the official documentation.
-
A working Gluu Server. Installation guide
-
A separate server with Apache HTTPD running and SSL enabled for the sample app and
mod_auth_openidc
-
All hostnames should be DNS resolvable, or entries should be added in the
/etc/hosts
file on both the web server and Gluu Server
mod_auth_openidc
requires the Ubuntu package libjansson4
. Install it using the following command:
apt-get install libjansson4
Download and install the mod_auth_openidc
and libjose
packages from the Release Page and then run the following commands:
a2enmod auth_openidc
service apache2 restart
In the Gluu Server create an OpenID Connect client with at least the following values:
Client Name: mod_auth_oidc
Description: Test client to test mod_auth_oidc
Client Secret: whatever_you_want
Application Type: Web
Pre-Authorization: True
Subject Type: public
Authentication method for the Token Endpoint: client_secret_basic
Redirect Login URIs: https://[RP_hostname]/callback
Scopes: email, openid, profile
Response Types: code
Grant Types: authorization_code
For more details about creating clients in Gluu, read the docs.
For the purpose of this tutorial, we will secure a simple CGI script with mod_auth_openidc to send authentication requests to the Gluu Server. Details for setting up the sample CGI script and mod_auth_openidc are below.
vim -N /usr/lib/cgi-bin/printHeaders.cgi
- Then paste below code and save:
#!/usr/bin/python
import os
d = os.environ
k = d.keys()
k.sort()
print "Content-type: text/html\n\n"
print "<HTML><Head><TITLE>Print Env Variables</TITLE></Head><BODY>"
print "<h1>Environment Variables</H1>"
for item in k:
print "<p><B>%s</B>: %s </p>" % (item, d[item])
print "</BODY></HTML>"
Now run the following commands:
chown www-data:www-data /usr/lib/cgi-bin/printHeaders.cgi
chmod ug+x /usr/lib/cgi-bin/printHeaders.cgi
a2enmod cgid
Configure mod_auth_openidc
to protect the resource
vim -N /etc/apache2/sites-available/default-ssl.conf
- Add the following details, substituting your values in placeholders below:
....
....
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
OIDCProviderMetadataURL https://[your_gluu_hostname]/.well-known/openid-configuration
OIDCClientID inum_of_your_client
OIDCClientSecret your_client_secret
OIDCResponseType code
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCSSLValidateServer Off
OIDCProviderIssuer https://[Gluu_server_hostname]
OIDCRedirectURI https://[RP_hostname]/callback
OIDCCryptoPassphrase something_you_want
<Location "/">
Require valid-user
AuthType openid-connect
</Location>
</VirtualHost>
...
.....
....
- Restart apache2
Hit https://[rp_hostname]/cgi-bin/printHeaders.cgi
and it should redirect to the Gluu Server for authentication. After successful authentication, a page displaying the RPs "Environment Variables" should be presented.
Gluu offers VIP and community support via its support portal. If you have questions or need help, just register and open an issue.