search

FreshRSS / FreshRSS

A free, self-hostable news aggregator…
https://freshrss.org
GNU Affero General Public License v3.0
9.34k stars 804 forks source link

Is OpenID Connect expected to work with ARM? #5722

Open tsrats opened 10 months ago

tsrats commented 10 months ago

Describe the bug Attempting to deploy the container freshrss/freshrss:1.22.0-arm to a Kubernetes cluster, and the container crashes with only the error log "Enabling module auth_openidc". Looking at the https://github.com/OpenIDC/mod_auth_openidc project, it is unclear if ARM/ARM64 is supported, or only x64.

To Reproduce Steps to reproduce the behavior: Deploy latest container image with OpenID Connect enabled in ENV.

Expected behavior Container at least runs (unsure if other ENV values are right, but cannot test with container crashing

Screenshots N/A

Environment information (please complete the following information):

Additional context N/A

Alkarex commented 10 months ago

Hello, Sorry no, and I should update the readme / docs for telling that. See this related issue, and help welcome! https://github.com/OpenIDC/mod_auth_openidc/discussions/1067

Alkarex commented 10 months ago

Hello again, What are your processors / architecture, more precisely?

tsrats commented 10 months ago

Hi!

I am running this on Oracle Cloud, which is using Ampere Altra A1 I believe.

Alkarex commented 8 months ago

Let's track when mod_auth_openidc 2.4.15 with https://github.com/OpenIDC/mod_auth_openidc/commit/4a4e198b62bf0370e60545ff26064a0b65d50784 lands in Debian https://packages.debian.org/bookworm/libapache2-mod-auth-openidc or in Alpine https://pkgs.alpinelinux.org/packages?name=apache-mod-auth-openidc-doc&branch=edge&arch=armv7

mytlogos commented 6 months ago

apache-mod-auth-openidc-doc 2.4.15.3-r0 is available for alpine in the testing repo (armv7 and armv8 (arm64), is this enough?

Alkarex commented 6 months ago

Alpine testing is only used in our https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/Dockerfile-Newest

So please try the following. Feedback or additional PR welcome:

  freshrss:
    image: freshrss/freshrss:newest
    build:
      context: https://github.com/FreshRSS/FreshRSS.git#edge
      dockerfile: Docker/Dockerfile-Newest
    ...
Snuffy2 commented 6 months ago

I'm sorry I missed this, but until this issue is resolved, OIDC also won't work for ARM64, correct? I see ARM mentioned a lot and I'm not clear if this includes ARM64. I ask because I've been trying to get OIDC working on RPi 4 running 64 bit OS and it's not working.

I just tried running "Newest" with errors:

freshrss  | Enabling module auth_openidc.
freshrss  | [Fri Mar 08 11:12:33.507019 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_CRYPTO_KEY} is not defined
freshrss  | AH00526: Syntax error on line 22 of /etc/apache2/conf.d/FreshRSS.Apache.conf:
freshrss  | The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED.
freshrss exited with code 0
Alkarex commented 6 months ago

It would be good with a bit of manual testing. Run the Newest image without OIDC_ENABLED, and then check the content of /etc/apache2/conf.d/mod-auth-openidc.conf.bak, what it refers to, and related files.

mytlogos commented 5 months ago
  1. docker compose build
  2. docker run -it --rm freshrss/freshrss:newest cat /etc/apache2/conf.d/mod-auth-openidc.conf.bak
Contents of file

``` LoadModule auth_openidc_module modules/mod_auth_openidc.so ######################################################################################## # # Common Settings # ######################################################################################## # (Mandatory) # The redirect_uri for this OpenID Connect client; this is a vanity URL # that must ONLY point to a path on your server protected by this module # but it must NOT point to any actual content that needs to be served. # You can use a relative URL like /protected/redirect_uri if you want to # support multiple vhosts that belong to the same security domain in a dynamic way #OIDCRedirectURI https://www.example.com/protected/redirect_uri # (Mandatory) # Set a password for crypto purposes, this is used for: # - encryption of the (temporary) state cookie # - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType # Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the password, e.g: # OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\"" # (notice that the above typically only works in non-clustered environments) # The command may be absolute or relative to the web server root. # # A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase # will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined), # both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should # (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again. #OIDCCryptoPassphrase [ | "exec:/path/to/otherProgram arg1" ] [ | "exec:/path/to/otherProgram arg2" ] # # All other entries below this are optional though some may be required in a # particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party # # When using multiple OpenID Connect Providers, possibly combined with Dynamic Client # Registration and account-based OP Discovery. # Specifies the directory that holds metadata files (must be writable for the Apache process/user). # When not specified, it is assumed that we use a single statically configured provider as # described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL. #OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata ######################################################################################## # # OpenID Connect Provider # # For configuration of a single static provider, not using OpenID Connect Provider Discovery. # ######################################################################################## # URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration) # The obtained metadata will be cached and refreshed every 24 hours. # If set, individual entries below will not have to be configured but can be used to add # extra entries/endpoints to settings obtained from the metadata. # If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single # static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs. #OIDCProviderMetadataURL # OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderIssuer # OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderAuthorizationEndpoint # OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS) # i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set jwks_uri. #OIDCProviderJwksUri # OpenID Connect Provider Signed JWKS URL (e.g. https://localhost:9031/pf/JWKS) followed by the verification key set # formatted as either JWK or JWKS. The verification key set is used to verify the provided JWKs value. # Specifying multiple keys allows the OP rotate the key used for signing the JWKs. # I.e this is the URL on which the ID Token signing keys for this OP are hosted, in verifiable JWT formatting # rather than relying on TLS for authentication and integrity protection. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set signed_jwks_uri. # When defined it takes precedence over OIDCProviderJwksUri # Examples: # OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}" # OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"keys\":[{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}]}" # NB: for multi-OP setups: # the 1st parameter is not used, it needs to be set anyhow (e.g. to "") if you wish to used the 2nd parameter # the 2nd parameter is the default verification JWK for content pulled from the signed_jwks_uri for all providers and # and its can be overridden with a per-provider key in the .conf file using the key: signed_jwks_uri_key #OIDCProviderSignedJwksUri [ | ] # The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public # keys that can be used for ID Token verification. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"][#] # and the key identifier part is required when the ID Token contains a "kid" in its header. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL #OIDCProviderVerifyCertFiles (["sig:"|"enc:"][#])+ # OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderTokenEndpoint # Authentication method for the OpenID Connect Provider Token Endpoint. # When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. # When not defined the default method from the specification is used, i.e. "client_secret_basic". # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. # NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth #OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ] # Extra parameters that need to be passed in the POST request to the Token Endpoint. # Parameter names and values need to be provided in URL-encoded form. # When not defined no extra parameters will be passed. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params #OIDCProviderTokenEndpointParams =[&=]* # OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid) # When not defined no claims will be resolved from such endpoint. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderUserInfoEndpoint # OpenID OP Check Session iFrame URL, for Session Management purposes. # When not defined, no Session Management will be applied. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderCheckSessionIFrame # OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes. # When not defined, no logout to the OP will be performed. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderEndSessionEndpoint # Extra parameters that will be sent along with the Logout Request. # These must be URL-query-encoded as in: "client_id=myclient&prompt=none". # This is used against a statically configured (single) OP or serves as the default for discovered OPs. # The default is to not add extra parameters. # NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params #OIDCLogoutRequestParams # The RFC 7009 Token Revocation Endpoint URL. # When defined, the refresh token and access token stored in an OIDC session will be revoked on logout. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderRevocationEndpoint # Define whether the OP supports OpenID Connect Back Channel Logout. # According to: https://openid.net/specs/openid-connect-backchannel-1_0.html # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderBackChannelLogoutSupported [On|Off] # Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint. # This settings serves as a default value for multiple OPs only. # Parameter names and values need to be provided in JSON form and will be merged in to the request. # When not defined no extra parameters will be passed. # NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_json #OIDCProviderRegistrationEndpointJson # Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile"). # When not defined, the bare minimal scope "openid" is used. # NB: multiple scope values must be enclosed in a single pair of double quotes # NB: this can be overridden on a per-OP basis in the .conf file using the key: scope #OIDCScope "" # Extra parameters that will be sent along with the Authorization Request. # These must be URL-query-encoded as in: "display=popup&prompt=consent" or # specific for Google's implementation: "approval_prompt=force". # This is used against a statically configured (single) OP or serves as the default for discovered OPs. # As an alternative to this option, one may choose to add the parameters as # part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint" # in the .provider metadata (though that would not work with Discovery OPs). # # One can pass on query parameters from the request to the authorization request by adding # e.g. "foo=#" which which will dynamically pull in the query parameter value from the # request query parameter and add it to the authentication request to the OP. # # The default is to not add extra parameters. # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params #OIDCAuthRequestParams # Require a valid SSL server certificate when communicating with the OP. # (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint) # When not defined, the default value is "On". # NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server #OIDCSSLValidateServer [On|Off] # Sets the path to the CA bundle to be used by cURL # When not defined, the default bundle for libcurl is used as provided by the platform. #OIDCCABundlePath # Require configured issuer to match the issuer returned in id_token. # (Disable to support Azure AD multi-tenant applications.) # When not defined, the default value is "On". #OIDCValidateIssuer [On|Off] # The refresh interval in seconds for the claims obtained from the userinfo endpoint # When not defined the claims are retrieved only once, at session creation time. # If refreshing fails, it is assumed that the access token is expired and an attempt will be made # to refresh the access token using the refresh token grant, after which a second attempt is made # to obtain claims from the userinfo endpoint with the new access token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval # The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails. # The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails. #OIDCUserInfoRefreshInterval [ logout_on_error | authenticate_on_error ] # The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri. # When not defined the default is 3600 seconds. # NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval # NB: this refresh interval is shared with OIDCOAuthVerifyJwksUri #OIDCJWKSRefreshInterval # Defines the way in which the access token will be presented to the userinfo endpoint # "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET # "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST # When not defined the default is "authz_header". # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method #OIDCUserInfoTokenMethod [authz_header|post_param] # Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint. # "GET" means that the parameters will be passed as query parameters in an HTTP GET # "POST" means that the parameters will be passed as form-post parameters in an HTTP POST # When not defined the default is "GET". # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method # OIDCProviderAuthRequestMethod [ GET | POST ] # The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates # that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP. # One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles. # When not defined no encryption will be requested. # You can also prefix with a JWK key identifier to manually override the automatically # generated "kid" that will be used for this key in the JWKs derived from this certificate and # published at OIDCClientJwksUri. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign) #OIDCPublicKeyFiles (["sig:"|"enc:"][#])+ # The fully qualified names of the files that contain the PEM-formatted RSA/EC private # keys that can be used to decrypt content sent to us by the OP. # These keys must correspond to the public keys defined in OIDCPublicKeyFiles. # When not defined no decryption will be possible. # NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc) #OIDCPrivateKeyFiles (["sig:"|"enc:"][#])+ ######################################################################################## # # OpenID Connect Client # # Settings used by the client in communication with the OpenID Connect Provider(s), # i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access. # These settings are used when a single static provider is configured and serve as defaults # when multiple providers are configured. # ######################################################################################## # The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too) # When not defined the "code" response type is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type #OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"] # The response mode used (this serves as default value for discovered OPs too) # When not defined the default response mode for the requested flow (OIDCResponseType) is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode #OIDCResponseMode [fragment|query|form_post] # Only used for a single static provider has been configured, see below in OpenID Connect Provider. # Client identifier used in calls to the statically configured OpenID Connect Provider. #OIDCClientID # Only used for a single static provider has been configured, see below in OpenID Connect Provider. # Client secret used in calls to the statically configured OpenID Connect Provider. # (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token") # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the # secret. The command may be absolute or relative to the web server root. #OIDCClientSecret [ | "exec:/path/to/otherProgram argument1" ] # Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the # token endpoint of the OAuth 2.0 Authorization server. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert #OIDCClientTokenEndpointCert # Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the # Client in calls to the token endpoint of the OAuth 2.0 Authorization server. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key #OIDCClientTokenEndpointKey # Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the # Client in calls to the token endpoint of the OAuth 2.0 Authorization server. # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the password. # The command may be absolute or relative to the web server root. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd #OIDCClientTokenEndpointKeyPassword [ | "exec:/path/to/otherProgram arg1" ] # The client name that the client registers in dynamic registration with the OP. # When not defined, no client name will be sent with the registration request. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name #OIDCClientName # The contacts that the client registers in dynamic registration with the OP. # Must be formatted as e-mail addresses by specification. # Single value only; when not defined, no contact e-mail address will be sent with the registration request. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact #OIDCClientContact # The PKCE method used (this serves as default value for discovered OPs too) # When not defined S256 is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method #OIDCPKCEMethod [plain|S256|none] # (used only in dynamic client registration) # Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be # used during client registration to point to the JWK set with public keys for this client. # If not defined the default ?jwks=rsa will be used, on which a JWK set # is automatically published based on the OIDCPublicKeyFiles setting so normally you don't # need to touch this unless this client is on a (test) host that is not reachable from the internet. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri #OIDCClientJwksUri # The algorithm that the OP should use to sign the id_token. # When not defined the default that the OP should use by spec is RS256. # (ES??? algorithms only supported when using OpenSSL >= 1.0) # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg #OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] # The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token. # When not defined the default (by spec) is that the OP does not encrypt the id_token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg #OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] # The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key. # If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. # When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided. # (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc #OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] # The algorithm that the OP should use to sign the UserInfo response # When not defined the default (by spec) is that the OP does not sign the response. # (ES??? algorithms only supported when using OpenSSL >= 1.0) # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg #OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] # The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response. # When not defined the default (by spec) is that the OP does not encrypt the response. # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg #OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] # The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key # If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. # When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided. # (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc #OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] ######################################################################################## # # WARNING: # # THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED # BY A SEPARATE MODULE, SEE: https://github.com/OpenIDC/mod_oauth2 # # OAuth 2.0 Resource Server Settings # # Used when this module functions as a Resource Server against an OAuth 2.0 Authorization # Server, introspecting/validating bearer Access Tokens. # ######################################################################################## # URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server) # as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours. # If set, individual entries below will not have to be configured but can be used to add # extra entries/endpoints to settings obtained from the metadata. # If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured. #OIDCOAuthServerMetadataURL # (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation) # OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2) #OIDCOAuthIntrospectionEndpoint # Client identifier used in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthClientID # Client secret used in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthClientSecret # Authentication method for the OAuth 2.0 Authorization Server introspection endpoint, # Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret # when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post" # has been configured. # When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. # When not defined "client_secret_basic" is used. #OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ] # Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured. # Specifies a static token to be used for authorizing the call to the introspection endpoint. # If empty, the introspected token will be used for authorization as well. #OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ] # Filename that contains the PEM-formatted client certificate used to authenticate the # caller in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthIntrospectionEndpointCert # Filename that contains the PEM-formatted private key that belongs to the client certificate used # to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthIntrospectionEndpointKey # Define the HTTP method to use for the introspection call. Must be GET or POST. # When not defined the default is POST. #OIDCOAuthIntrospectionEndpointMethod [POST|GET] # Extra parameters that need to be passed in the POST request to the Introspection Endpoint. # Parameter names and values need to be provided in URL-encoded form. # When not defined no extra parameters will be passed. #OIDCOAuthIntrospectionEndpointParams =[&=]* # Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint. # When not defined the default "token" is used. #OIDCOAuthIntrospectionTokenParamName # Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since # 1970), relative (seconds from now after which the token will expire), and whether it is optional. # If the claim is optional and not found in the response, the introspection result will not be cached. # (which means that the overall performance may suffer) # # Only applies when the "active" claim is not found in the introspection response, which is interpreted as # an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom. # # When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching # Google and PingFederate's introspection behavior. #OIDCOAuthTokenExpiryClaim [absolute|relative] [mandatory|optional] # Define the interval in seconds after which a cached and introspected access token needs # to be refreshed by introspecting (and validating) it again against the Authorization Server. # (can be configured on a per-path basis) # When not defined the value is 0, which means it only expires after the `exp` (or alternative, # see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server. # When set to -1, caching of the introspection results is disabled and the token will be introspected # on each request presenting it. #OIDCOAuthTokenIntrospectionInterval # Require a valid SSL server certificate when communicating with the Authorization Server # on the token introspection endpoint. When not defined, the default value is "On". #OIDCOAuthSSLValidateServer [On|Off] # The symmetric shared key(s) that can be used for local JWT access token validation. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"]plain|b64|hex#[]# # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, no access token validation with shared keys will be performed. # Examples: # - a plaintext secret and a key identifier (kid) # plain#1#mysecret # - a base64 encoded secret, no key identifier provided # b64##AF515DE== # - a hex encoded secret, no key identifier provided # hex##ede012 #OIDCOAuthVerifySharedKeys (["sig:"|"enc:"]plain|b64|hex#[#])+ # The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public # keys that can be used for local JWT access token verification. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"][#] # and the key identifier part is required when the JWT access token contains a "kid" in its header. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, no access token validation with statically configured certificates will be performed. #OIDCOAuthVerifyCertFiles (["sig:"|"enc:"][#])+ # The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens. # When not defined local validation of JWTs can still be done using statically configured keys, # by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys. #OIDCOAuthVerifyJwksUri # The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths. # When not defined the default "sub" is used. # # An optional regular expression can be added as a 2nd parameter that will be applied to the # claim value from the 1st parameter and the first match returned from that expression will # be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ # # An optional 3rd parameter can be added that would contain string with number backrefrences. # Backrefrences must be in the form $1, $2.. etc. # E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use # ^(.*)@([^.]+)\..+$ $2\\$1 #OIDCOAuthRemoteUserClaim [] [substitution-string] # Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. # Must be one or several of: # "header" : an "Authorization: bearer" header # "post" : an HTTP Post parameter called "access_token" # "query" : as an HTTP query parameter called "access_token" # "cookie" : as a cookie header called "PA.global" or using the name specified after ":" # "basic": as a HTTP Basic Auth (RFC2617, section 2) password, with any username # When not defined the default "header" is used. #OIDCOAuthAcceptTokenAs [header|post|query|cookie[:|basic]+ ######################################################################################## # # Cookie Settings # ######################################################################################## # Define the cookie path for the "state" and "session" cookies. # When not defined the default is a server-wide "/". #OIDCCookiePath # Specify the domain for which the "state" and "session" cookies will be set. # This must match the OIDCRedirectURI and the URL on which you host your protected # application. Use the literal value of the domain name that will end up in the "Domain" # attribute value for the Set-Cookie header, no leading dot required. # Example domain- (instead of default host-)wide cookie: # OIDCCookieDomain example.org # When not defined the default is the server hostname that is currently accessed. #OIDCCookieDomain # Define the cookie name for the session cookie. # When not defined the default is "mod_auth_openidc_session". #OIDCCookie # OpenID Connect session cookie chunk size. # When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session # data needs to be stored, typically the size depends on the "scopes" of information you request. To work # around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split # over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, # If you want to prevent splitting the session cookie regardless of its size, set the value to 0. # When not defined the default chunk size is 4000 bytes #OIDCSessionCookieChunkSize # Defines whether the HttpOnly flag will be set on cookies. # When not defined the default is On. #OIDCCookieHTTPOnly [On|Off] # Defines whether the SameSite flag will be set on cookies. # When On the following will apply: # state cookie: Lax # session cookie: Lax # x_csrf discovery: Strict: # # The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be # conditionally overridden using an environment variable in the Apache config as in: # SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; # # When not defined the default is On. #OIDCCookieSameSite [On|Off] # Specify the names of cookies to pickup from the browser and send along on backchannel # calls to the OP and AS endpoints. This can be used for load-balancing purposes. # When not defined, no such cookies are sent. #OIDCPassCookies []+ # Specify the names of cookies to strip from the incoming request so they are not passed # on to the target application(s). This may prevent a large set of chunked session cookies to # be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting): # mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 # When not defined, no cookies are stripped. #OIDCStripCookies []+ # Specify the maximum number of state cookies i.e. the maximum number of parallel outstanding # authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331 # Setting this to 0 means unlimited, until the browser or server gives up which is the # behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. # # The optional second boolean parameter if the oldest state cookie(s) will be deleted, # even if still valid; see #399. # # When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted. #OIDCStateMaxNumberOfCookies [false|true] # Define the cookie prefix for the state cookie. # When not defined the default is "mod_auth_openidc_state_". #OIDCStateCookiePrefix ######################################################################################## # # Session Settings (only relevant in an OpenID Connect Relying Party setup) # ######################################################################################## # Interval in seconds after which the session will be invalidated when no interaction has occurred. # When not defined, the default is 300 seconds. #OIDCSessionInactivityTimeout # Maximum duration of the application session # When not defined the default is 8 hours (3600 * 8 seconds). # When set to 0, the session duration will be set equal to the expiry time of the ID token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration #OIDCSessionMaxDuration # OpenID Connect session storage type. # "server-cache" server-side caching storage. # "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next # A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts # instead of a session cookie that is tied to the lifetime of the browser session. # The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting. # A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored # in the session to be used as id_token_hint in a logout request to the OP later. # When not defined the default "server-cache" is used. #OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ] # Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary # cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of: # a) performance # 1) since on each subsequent request the primary cache will still be polled and # failback will happen as soon as the primary cache is available again # 2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType # b) security, since nonce's and jti's are not cached, see: OIDCCacheType # c) (prototype) functionality, since request_uri's won't work anymore # When not defined the default is "Off". #OIDCSessionCacheFallbackToCookie [On|Off] ######################################################################################## # # Cache Settings # ######################################################################################## # Cache type, used for temporary storage that is shared across Apache processes/servers for: # - authenticated user session state # - nonce values from authorization requests (to prevent replay attacks) # - validated OAuth 2.0 access tokens # - refresh tokens during their usage in a refresh token request i.e. refreshing an access token and possible the refresh token itself # - JWK sets that have been retrieved from jwk_uri's (to validate id_token, logout_token, JWT access_token and JWT userinfo response) # - resolved OP metadata when using OIDCProviderMetadataUrl and/or OIDCOAuthServerMetadataURL # - jti values from logout_token when receiving Backchannel Logout requests # - temporary state associated with Request URI's # - signed JWTs when using OIDCPassUserInfoAs signed_jwt and environment variable OIDC_USERINFO_SIGNED_JWT_CACHE_TTL # - JQ filter results when using OIDCFilterClaimsExpr and/or OIDCUserInfoClaimsExpr and/or Require claims_expr # must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\" # When not defined, "shm" (shared memory) is used. #OIDCCacheType [shm|memcache|file[|redis]] # Indicate whether data in the cache backend should be encrypted. # When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends #OIDCCacheEncrypt [On|Off] # When using OIDCCacheType "shm": # Specifies the maximum number of name/value pair entries that can be cached. # When caching a large number of entries the cache size limit may be reached and the # least recently used entry will be overwritten. If this happens within 1 hour, # errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased. # When not specified, a default of 10000 entries is used. # OIDCCacheShmMax # When using OIDCCacheType "shm": # Specifies the maximum size for a single cache entry in bytes with a minimum of 8736 bytes. # The value must a multiple of 8 bytes. # When caching large values such as numbers of attributes in a session or large metadata documents the # entry size limit may be overrun, in which case errors will be displayed in the error.log # and the OIDCCacheShmEntrySizeMax value has to be increased. # When not specified, a default entry size of 16928 bytes (16384 value + 512 key + 32 overhead) is used. # OIDCCacheShmEntrySizeMax # When using OIDCCacheType "file": # Directory that holds cache files; must be writable for the Apache process/user. # When not specified a system defined temporary directory (/tmp) will be used. #OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache # When using OIDCCacheType "file": # Cache file clean interval in seconds (only triggered on writes). # When not specified a default of 60 seconds is used. # OIDCCacheFileCleanInterval # Required when using OIDCCacheType "memcache": # Specifies the memcache servers used for caching as a space separated list of [:] tuples. #OIDCMemCacheServers "([:])+" # Minimum number of connections to each Memcache server per process. Defaults to # OIDCMemCacheConnectionsHMax. #OIDCMemCacheConnectionsMin # All connections above this limit will be closed if they have been idle for # more than OIDCMemCacheConnectionsTTL. Defaults to OIDCMemCacheConnectionsHMax. #OIDCMemCacheConnectionsSMax # Maximum number of connections to each Memcache server per process. Defaults to # ThreadsPerChild or if mod_http2 is loaded to ThreadsPerChild - 1 + H2MaxWorkers. #OIDCMemCacheConnectionsHMax # Maximum time in seconds a connection to a Memcache server can be idle before # being closed. Defaults to 60 seconds. # Only for Apache >= 2.4.x: By adding a postfix of ms, the timeout can be also # set in milliseconds. Defaults to 60 seconds. #OIDCMemCacheConnectionsTTL # Required if Redis support is compiled in and when using OIDCCacheType "redis": # Specifies the Redis server used for caching as a [:] tuple. #OIDCRedisCacheServer [:] # Password to be used if the Redis server requires authentication: http://redis.io/commands/auth # When not specified, no authentication is performed. #OIDCRedisCachePassword # Username to be used if the Redis server requires authentication: http://redis.io/commands/auth # NB: this can only used with Redis 6 (ACLs) or later # When not specified, the implicit user "default" is used #OIDCRedisCacheUsername # Logical database to select on the Redis server: https://redis.io/commands/select # When not defined the default database 0 is used. #OIDCRedisCacheDatabase # Timeout (in seconds) for connecting to the Redis servers. # An optional 2nd parameter can be supplied to set the keepalive interval (in seconds) on the # TCP connection to the Redis server. 0 disables keepalive. # NB: the interval setting only works when compiled and running with hiredis >= 1.2.0 # when compiled and running with hiredis < 1.2.0 any value > 0 will apply the default interval # When not defined the default connect timeout is 5 seconds and the default hiredis keepalive (15s) is applied. #OIDCRedisCacheConnectTimeout [0|] # Timeout waiting for a response of the Redis servers after a request was sent. # When not defined the default timeout is 5 seconds. #OIDCRedisCacheTimeout ######################################################################################## # # Advanced Settings # ######################################################################################## # Defines an external OP Discovery page. That page will be called with: # ?oidc_callback= # additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`. # # An Issuer selection can be passed back to the callback URL as in: # ?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=][&scopes=][&auth_request_params=] # where the parameter contains the URL-encoded issuer value of # the selected Provider, or a URL-encoded account name for OpenID # Connect Discovery purposes (aka. e-mail style identifier), or a domain name. # [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=&x_csrf=&method=&scopes=) # # When not defined the bare-bones internal OP Discovery page is used. #OIDCDiscoverURL # Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri # has been provided. The user is also redirected to this URL in case an invalid authorization # response was received. # The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user. #OIDCDefaultURL # Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. # When not defined and no URL was passed explicitly, a default internal page will be shown. #OIDCDefaultLoggedOutURL # Define the OpenID Connect scope(s) that is requested from the OP (eg. "admin edit") # on a per-path basis in addition to the per-provider configured scopes (OIDCScope). # Multiple scope values must be enclosed in a single pair of double quotes. # Apache expressions can be used to pass dynamic runtime determined values. # The default is to not add extra scopes. #OIDCPathScope "" # Extra parameters that will be sent along with the Authorization Request. # These must be URL-query-encoded as in: "display=popup&prompt=consent". # This can be configured on a per-path basis across all configured Providers. # One can pass on query parameters from the request to the authorization request by adding # e.g. "foo=#" which which will dynamically pull in the query parameter value from the # request query parameter and add it to the authentication request to the OP. # Apache expressions can be used to pass dynamic runtime determined values. # The default is to not add extra parameters. #OIDCPathAuthRequestParams # Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token. # When not defined the default is 600 seconds. # NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack #OIDCIDTokenIatSlack # The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables. # This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup. # When not defined, the default "OIDC_CLAIM_" is used. #OIDCClaimPrefix # The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables. # When not defined the default "," is used. #OIDCClaimDelimiter # The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths. # If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the # \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs. # When not defined the default "sub@" is used. # # An optional regular expression can be added as a 2nd parameter that will be applied to the # resulting value from the 1st parameter and the first match returned from that expression will # be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ # # An optional 3rd parameter can be added that would contain string with number backrefrences. # Backrefrences must be in the form $1, $2.. etc. # E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use # ^(.*)@([^.]+)\..+$ $2\\$1 #OIDCRemoteUserClaim [@] [] [substitution-string] # Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs. # Must be one or several of: # "claims" : the claims in the id_token are passed in individual headers/environment variables # "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable # "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable # Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly # configured to do so) and as such the header for the "serialized" option will not be set. # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. #OIDCPassIDTokenAs [claims|payload|serialized]+ # Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. # Must be one or several of: # "claims" : # the userinfo claims are passed in individual headers/environment variables # "json[: header/environment variable # "jwt[: header/environment variable # "signed_jwt[: header/environment variable # - requires OIDCPrivateKeyFiles/OIDCPublicKeyFiles set with a RSA key (RS256) or a prime256v1 Elliptic Curve key(s) (ES256), # the first RSA/EC signing key in the configured list will be used # - the "expires_in" hint from the access_token is used in the "exp" claim; defaults to 60 seconds if not returned by the OP. # - caching of the signed JWT - use with care only - can be configured using: # SetEnvIfExpr true OIDC_USERINFO_SIGNED_JWT_CACHE_TTL= # or for the duration of the - possibly processed - "exp" claim when set to "0" # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. #OIDCPassUserInfoAs [claims|json[:]|jwt[:]|signed_jwt[:]]+ # Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: process the claims # returned from the userinfo endpoint with a JQ-based expression before propagating them according # to OIDCPassUserInfoAs claims|json|signed_jwt (ie. does not work for "OIDCPassUserInfoAs jwt") # # Overwrite the default (provider) "iss" claim, and delete the default "aud" and "name" claims: # '. + { iss: "https://myissuer.com" } | del(.aud, .name)' # Add new claim with a variable value obtained from an Apache expression https://httpd.apache.org/docs/2.4/expr.html: # (be aware that when used with "OIDCPassUserInfoAs signed_jwt" it results in a cached JWT per-user/per-path) # '. + { path: "%{REQUEST_URI}" }' # Keep sub only: # '{ sub: .sub }' # Filter out all elements in the "groups" array of strings that contain "DC=Company" : # '. + { groups: (.groups - (.groups | map(select(contains("DC=Company"))))) }' # Filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* : # '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' # Can be configured on a per Directory/Location basis. When not defined no processing will be applied. #OIDCUserInfoClaimsExpr # Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: applies # a JQ filter to claims in the both the id_token and claims returned from the userinfo endpoint # before storing them in the session after applying (optional) toplevel blacklisting/whitelisting # with OIDCBlackListedClaims/OIDCWhiteListedClaims, e.g.: # filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* # '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' # whitelist only "name" and "sub" claims: # '{name, sub}' # delete "groups", "exp" and "iat" # 'del(.groups,.exp,.iat)' # When not defined no processing will be applied and all claims will be stored in the session. #OIDCFilterClaimsExpr # Define the way in which the (processed) claims and tokens are passed to the application environment: # "none": no claims/tokens are passed # "environment": claims/tokens are passed as environment variables # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) # "both": claims/tokens are passed as both headers as well as environment variables (default) # # A second parameter can be specified that defines the encodong applied to all values passed in headers # and environment variables: # "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character. # "base64url" applies base64url encoding # "none" applies no encoding and copies literal values from the claims into the headers/environment variables # When not defined the default is "both" and "latin1" encoding is applied to the header/environment values. # # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken) #OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none] # Specify the HTTP header variable name to set with the name of the authenticated user, # i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim. # When not defined no such header is added. # This setting can be configured for both the "openid-connect" and "oauth20" AuthType on # a server-wide or directory level. #OIDCAuthNHeader # Timeout in seconds for long duration HTTP calls. This defines the maximum duration that a request make take to # to complete and is used for most requests to remote endpoints/servers. # The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. # The optional parameter specifies the number of retry attempts in case of connectivity errors. # When not defined the default of 30 seconds is used, with a 10 second connect timeout, using 1 retry after # an interval of 500ms. #OIDCHTTPTimeoutLong [] [[:]] # Timeout in seconds for short duration HTTP calls. This defines the maximum duration that a request may take to # to complete and is used for Client Registration and OP Discovery requests. # The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. # The optional parameter specifies the number of retry attempts in case of connectivity errors. # When not defined the default of 5 seconds is used, with a 2 second connect timeout, using 1 retry with # an interval of 500ms. #OIDCHTTPTimeoutShort [] [[:]] # Time to live in seconds for state parameter i.e. the interval in which the authorization request # and the corresponding response need to be processed. When not defined the default of 300 seconds is used. #OIDCStateTimeout # Specify an outgoing proxy for your network. When running on a platform with a recent version of # libcurl you can also specify the network protocol, see: https://curl.se/libcurl/c/CURLOPT_PROXY.html # When not defined no outgoing proxy is used. #OIDCOutgoingProxy [://][:] [:] [basic|digest|negotiate|ntlm|any] # Defines the action to be taken when an unauthenticated request is made. # # "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. # "401" means that HTTP 401 Unauthorized is returned. # "407" means that HTTP 407 Proxy Authentication Required is returned # "410" means that HTTP 410 Gone is returned # "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already # # Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access" # # When not defined the default is "auth" with auto-detection of requests that woult not be able to complete # an authentication round trip to the OpenID Connect Provider, which would receive a 401. # The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, or # the presence of a Sec-Fetch-Mode header with a value that is not equal to "navigate", or the presence of # a Sec-Fetch-Dest header with a value that is not equal to "document" or the absence of # an "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*" # and returns 401 for such non-auth-capable requests, e.g. XML HTTP Requests, image loading requests etc. # that would create a state cookie but never return to delete it. # See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#tldr # # Only for Apache >= 2.4.x: # Since verson 2.4.4 a boolean Apache expression as the second parameter to specify which requests # need to match to return the configured value in the first parameter to override the default "auth". # See also: https://httpd.apache.org/docs/2.4/expr.html. # E.g to only return 401 for cURL based user agents and "auth" for any other browsers/user agents: # OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/" # to effectively override the default XML request detection algorithm by ignoring the Sec-Fetch-Mode, # Sec-Fetch-Dest and Accept headers: # OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'" # to return 401 for all user agents that do not send an Accept header that includes a "text/html" value: # OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#" # or as a more complex example, which equals the default XML request detection algorithm: # OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \ # || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \ # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' ) \ # || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) \ # && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \ # && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )" # To enable authentication in an iframe you need to change the Sec-Fetch-Dest part above in: # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \ # To disable auto-detection of XML HTTP request altogether and uncondtionally return "auth" for all clients: # OIDCUnAuthAction auth true # Note that actually *any* expression value in "OIDCUnAuthAction auth " will *always* render "auth" # (even when set to "false"...) because of the default, so using an value (other than "true") only # makes sense in combination with one of the values other than "auth". #OIDCUnAuthAction [auth|pass|401|407|410] [] # Defines the action to be taken when an unauthorized request is made i.e. the user is authenticated but # does not meet the `Require claim <>` directives or similar. # "401" return HTTP 401 Unauthorized with optional text message if specified in # "403" return HTTP 403 Forbidden with optional text message; NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive! # "302" redirect to the URL specified in the parameter # "auth" redirect the user to the OpenID Connect Provider or Discovery page for authentication ( is unused) # Useful in Location/Directory/Proxy path contexts that need to do stepup authentication # Be aware that this will only work in combination with a single Require statement or RequireAll, # so using RequireAny and multiple Require statements is not supported. # When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on" #OIDCUnAutzAction [401|403|302|auth] [] # Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). # This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form. # It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data. # Preservation is done via HTML 5 session storage: note that this can lead to private data exposure on shared terminals. # The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis. #OIDCPreservePost [On|Off] # POST preserve and restore templates to be used with OIDCPreservePost # template needs to contain two "%s" characters # the first for the JSON formattted POST data, the second for the URL to redirect to after preserving # template needs to contain one "%s" # which contains the (original) URL to POST the restored data to # The default is to use internal templates #OIDCPreservePostTemplates # Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "On". #OIDCPassAccessToken [On|Off] # # Indicates whether the refresh token will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "Off". #OIDCPassRefreshToken [On|Off] # Request Object/URI settings expressed as a string that is a "double-quote-escaped" JSON object. For example: # "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.openidc.com/protected/\", \"request_object_type\" : \"request\" }" # Parameters: # copy_from_request (array) : array of query parameter names copied from request # copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter # static (object) : parameter value is merged to the request object # ttl (number) : number of seconds before the request object expires (default is 30 seconds) # translates to the `exp` claim in the request object # crypto (object) : defines cryptography used to create request object # sign_alg (string) : algorithm used to sign request object (JWS alg parameter) # crypt_alg (string) : algorithm used to encrypt CEK of request object (JWE alg parameter) # crypt_enc (string) : algorithm used to encrypt request object (JWE enc parameter) # url (string) : use this url instead of redirect_uri for request_uri # request_object_type (string) : parameter used for sending authorization request object # "request_uri" (default) or "request" # NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object #OIDCRequestObject # Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir). # When not defined the default is 0 seconds, i.e. it is never refreshed. # Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day. #OIDCProviderMetadataRefreshInterval # Define the data that will be returned upon calling the info hook. # The data can be JSON formatted using ?info=json, or HTML formatted, using ?info=html. # iat (int) : Unix timestamp indicating when this data was created # access_token (string) : the access token # access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP) # id_token (object) : the claims presented in the ID token # id_token_hint (string) : the serialized ID token # userinfo (object) : the claims resolved from the UserInfo endpoint # refresh_token (string) : the refresh token (if returned by the OP) # exp (int) : the maximum session lifetime (Unix timestamp in seconds) # timeout (int) : the session inactivity timeout (Unix timestamp in seconds) # remote_user (string) : the remote user name # session (object) : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object # Note that when using ProxyPass / you may have to add a proxy exception for the Redirect URI # for this to work, e.g. ProxyPass /redirect_uri ! # When not defined the session hook will not return any data but a HTTP 404 #OIDCInfoHook [iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session]+ # Specify metrics that you wish to collect and keep in shared memory for retrieval. # Supported metrics classes are: # authtype Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc. # authn Authentication request creation and response processing. # authz Authorization errors per OIDCUnAuthzAction (per Require statement, not overall). # require.claim Match/failure count of Require claim directives (per Require statement, not overall). # provider Requests to the provider [token, userinfo, metadata] endpoints. # session Existing session processing. # cache Cache read/write timings and errors. # redirect_uri Requests to the Redirect URI, per type. # content Requests to the content handler, per type of request: info, metrics, jwks, etc. # When not defined no metrics will be recorded. #OIDCMetricsData [ authtype | authn | authz | require.claim | requests | session | cache | redirect_uri | content ]+ # Specify the path where metrics are published and can be consumed. # The format parameter can be passed to specify the format in which the collected data is returned. # format=prometheus Prometheus text-based exporter # format=json (non-standard) JSON with descriptions and names # format=status short text based status message "OK" plus optional counter (&vhost=&counter=) # format=internal internal terse JSON for debugging purposes # The default is "prometheus". # Protect protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port. # When not defined, no metrics will be published on the enclosing vhost. #OIDCMetricsPublish # Set a traceparent HTTP header on outgoing requests to the provider and proxied requests. # propagate: propagate any existing traceparent header on requests to the Provider (it's proxied as it is) # generate: generate a traceparent header, possibly overwriting an existing one # The default is to not add (or overwrite) a traceparent header. #OIDCTraceParent generate | propagate # Specify claims that should be removed from the userinfo and/or id_token before storing them in the session. # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims # When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used. #OIDCBlackListedClaims []+ # Specify claims from the userinfo and/or id_token that should be stored in the session (all other claims will be discarded). # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims # When not defined no claims are whitelisted and all claims are stored except when blacklisted with OIDCBlackListedClaims. #OIDCWhiteListedClaims []+ # Specify the minimum time-to-live for the access token stored in the OIDC session. # When the access token expiry timestamp (at least the hint given to that) is less than this value, # an attempt will be made to refresh the access token using the refresh token grant type towards the OP. # This only has an effect if a refresh token was actually returned from the OP and an "expires_in" hint # was returned as part of the authorization response and subsequent refresh token responses. # When not defined no attempt is made to refresh the access token (unless implicitly through OIDCUserInfoRefreshInterval) # The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails. # The optional authenticate_on_error flag sends the user for authentication when the refresh fails. #OIDCRefreshAccessTokenBeforeExpiry [logout_on_error | authenticate_on_error] # Defines which headers will be used as the "state" input for calculating the fingerprint of the browser # during authentication. When not defined the default "user-agent" is used. #OIDCStateInputHeaders [user-agent|x-forwarded-for|both|none] # Define one or more regular expressions that specify URLs (or domains) allowed for post logout and # other redirects such as the "return_to" value on refresh token requests, the "login_uri" value # on session management based logins through the OP iframe, and the "target_link_uri" parameter in # 3rd-party initiated logins, e.g.: # OIDCRedirectURLsAllowed ^https://www\.example\.com ^https://(\w+)\.example\.org ^https://example\.net/app # or: # OIDCRedirectURLsAllowed ^https://www\.example\.com/logout$ ^https://www\.example\.com/app/return_to$ # When not defined, the default is to match the hostname in the URL redirected to against # the hostname in the current request. #OIDCRedirectURLsAllowed []+ # Defines the value of the X-Frame-Options header returned on OIDC front-channel logout requests. # See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. # For example: # OIDCLogoutXFrameOptions: sameorigin # or: # OIDCLogoutXFrameOptions: allow-from https://provider.example.com/ # When not defined the default is "DENY". #OIDCLogoutXFrameOptions # Define the X-Forwarded-* or Forwarded headers that will be taken into account as set by a reverse proxy # in front of mod_auth_openidc. Must be one or more of: # X-Forwarded-Host # X-Forwarded-Port # X-Forwarded-Proto # Forwarded # When not defined, such headers will be ignored. #OIDCXForwardedHeaders

+ ```

Module location (find / -type f -iname mod_auth_openidc.so): /usr/lib/apache2/mod_auth_openidc.so

The module file is there apparently. Do you need more info?

(Ran from Raspberry PI 4B, arm64)

Alkarex commented 5 months ago

The first line reads LoadModule auth_openidc_module modules/mod_auth_openidc.so That does not seem to be the correct path, is it? It could be good to compare with the x86_64 version

mytlogos commented 5 months ago

Cannot compare it with the self-built version for now (user namespace is enabled on the x86_64 docker host, and the image build will fail there: touch: /var/www/FreshRSS/Docker/env.txt: Permission denied).

The current edge image does not have the oidc config.

mytlogos commented 5 months ago

Multipass VM on x64_84:

Contents of mod-auth-openidc.conf.bak

``` LoadModule auth_openidc_module modules/mod_auth_openidc.so ######################################################################################## # # Common Settings # ######################################################################################## # (Mandatory) # The redirect_uri for this OpenID Connect client; this is a vanity URL # that must ONLY point to a path on your server protected by this module # but it must NOT point to any actual content that needs to be served. # You can use a relative URL like /protected/redirect_uri if you want to # support multiple vhosts that belong to the same security domain in a dynamic way #OIDCRedirectURI https://www.example.com/protected/redirect_uri # (Mandatory) # Set a password for crypto purposes, this is used for: # - encryption of the (temporary) state cookie # - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType # Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the password, e.g: # OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\"" # (notice that the above typically only works in non-clustered environments) # The command may be absolute or relative to the web server root. # # A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase # will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined), # both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should # (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again. #OIDCCryptoPassphrase [ | "exec:/path/to/otherProgram arg1" ] [ | "exec:/path/to/otherProgram arg2" ] # # All other entries below this are optional though some may be required in a # particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party # # When using multiple OpenID Connect Providers, possibly combined with Dynamic Client # Registration and account-based OP Discovery. # Specifies the directory that holds metadata files (must be writable for the Apache process/user). # When not specified, it is assumed that we use a single statically configured provider as # described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL. #OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata ######################################################################################## # # OpenID Connect Provider # # For configuration of a single static provider, not using OpenID Connect Provider Discovery. # ######################################################################################## # URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration) # The obtained metadata will be cached and refreshed every 24 hours. # If set, individual entries below will not have to be configured but can be used to add # extra entries/endpoints to settings obtained from the metadata. # If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single # static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs. #OIDCProviderMetadataURL # OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderIssuer # OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderAuthorizationEndpoint # OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS) # i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set jwks_uri. #OIDCProviderJwksUri # OpenID Connect Provider Signed JWKS URL (e.g. https://localhost:9031/pf/JWKS) followed by the verification key set # formatted as either JWK or JWKS. The verification key set is used to verify the provided JWKs value. # Specifying multiple keys allows the OP rotate the key used for signing the JWKs. # I.e this is the URL on which the ID Token signing keys for this OP are hosted, in verifiable JWT formatting # rather than relying on TLS for authentication and integrity protection. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set signed_jwks_uri. # When defined it takes precedence over OIDCProviderJwksUri # Examples: # OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}" # OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"keys\":[{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}]}" # NB: for multi-OP setups: # the 1st parameter is not used, it needs to be set anyhow (e.g. to "") if you wish to used the 2nd parameter # the 2nd parameter is the default verification JWK for content pulled from the signed_jwks_uri for all providers and # and its can be overridden with a per-provider key in the .conf file using the key: signed_jwks_uri_key #OIDCProviderSignedJwksUri [ | ] # The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public # keys that can be used for ID Token verification. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"][#] # and the key identifier part is required when the ID Token contains a "kid" in its header. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL #OIDCProviderVerifyCertFiles (["sig:"|"enc:"][#])+ # OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderTokenEndpoint # Authentication method for the OpenID Connect Provider Token Endpoint. # When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. # When not defined the default method from the specification is used, i.e. "client_secret_basic". # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. # NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth #OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ] # Extra parameters that need to be passed in the POST request to the Token Endpoint. # Parameter names and values need to be provided in URL-encoded form. # When not defined no extra parameters will be passed. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params #OIDCProviderTokenEndpointParams =[&=]* # OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid) # When not defined no claims will be resolved from such endpoint. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderUserInfoEndpoint # OpenID OP Check Session iFrame URL, for Session Management purposes. # When not defined, no Session Management will be applied. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderCheckSessionIFrame # OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes. # When not defined, no logout to the OP will be performed. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderEndSessionEndpoint # Extra parameters that will be sent along with the Logout Request. # These must be URL-query-encoded as in: "client_id=myclient&prompt=none". # This is used against a statically configured (single) OP or serves as the default for discovered OPs. # The default is to not add extra parameters. # NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params #OIDCLogoutRequestParams # The RFC 7009 Token Revocation Endpoint URL. # When defined, the refresh token and access token stored in an OIDC session will be revoked on logout. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderRevocationEndpoint # Define whether the OP supports OpenID Connect Back Channel Logout. # According to: https://openid.net/specs/openid-connect-backchannel-1_0.html # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderBackChannelLogoutSupported [On|Off] # Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint. # This settings serves as a default value for multiple OPs only. # Parameter names and values need to be provided in JSON form and will be merged in to the request. # When not defined no extra parameters will be passed. # NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_json #OIDCProviderRegistrationEndpointJson # Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile"). # When not defined, the bare minimal scope "openid" is used. # NB: multiple scope values must be enclosed in a single pair of double quotes # NB: this can be overridden on a per-OP basis in the .conf file using the key: scope #OIDCScope "" # Extra parameters that will be sent along with the Authorization Request. # These must be URL-query-encoded as in: "display=popup&prompt=consent" or # specific for Google's implementation: "approval_prompt=force". # This is used against a statically configured (single) OP or serves as the default for discovered OPs. # As an alternative to this option, one may choose to add the parameters as # part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint" # in the .provider metadata (though that would not work with Discovery OPs). # # One can pass on query parameters from the request to the authorization request by adding # e.g. "foo=#" which which will dynamically pull in the query parameter value from the # request query parameter and add it to the authentication request to the OP. # # The default is to not add extra parameters. # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params #OIDCAuthRequestParams # Require a valid SSL server certificate when communicating with the OP. # (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint) # When not defined, the default value is "On". # NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server #OIDCSSLValidateServer [On|Off] # Sets the path to the CA bundle to be used by cURL # When not defined, the default bundle for libcurl is used as provided by the platform. #OIDCCABundlePath # Require configured issuer to match the issuer returned in id_token. # (Disable to support Azure AD multi-tenant applications.) # When not defined, the default value is "On". #OIDCValidateIssuer [On|Off] # The refresh interval in seconds for the claims obtained from the userinfo endpoint # When not defined the claims are retrieved only once, at session creation time. # If refreshing fails, it is assumed that the access token is expired and an attempt will be made # to refresh the access token using the refresh token grant, after which a second attempt is made # to obtain claims from the userinfo endpoint with the new access token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval # The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails. # The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails. #OIDCUserInfoRefreshInterval [ logout_on_error | authenticate_on_error ] # The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri. # When not defined the default is 3600 seconds. # NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval # NB: this refresh interval is shared with OIDCOAuthVerifyJwksUri #OIDCJWKSRefreshInterval # Defines the way in which the access token will be presented to the userinfo endpoint # "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET # "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST # When not defined the default is "authz_header". # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method #OIDCUserInfoTokenMethod [authz_header|post_param] # Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint. # "GET" means that the parameters will be passed as query parameters in an HTTP GET # "POST" means that the parameters will be passed as form-post parameters in an HTTP POST # When not defined the default is "GET". # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method # OIDCProviderAuthRequestMethod [ GET | POST ] # The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates # that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP. # One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles. # When not defined no encryption will be requested. # You can also prefix with a JWK key identifier to manually override the automatically # generated "kid" that will be used for this key in the JWKs derived from this certificate and # published at OIDCClientJwksUri. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign) #OIDCPublicKeyFiles (["sig:"|"enc:"][#])+ # The fully qualified names of the files that contain the PEM-formatted RSA/EC private # keys that can be used to decrypt content sent to us by the OP. # These keys must correspond to the public keys defined in OIDCPublicKeyFiles. # When not defined no decryption will be possible. # NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc) #OIDCPrivateKeyFiles (["sig:"|"enc:"][#])+ ######################################################################################## # # OpenID Connect Client # # Settings used by the client in communication with the OpenID Connect Provider(s), # i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access. # These settings are used when a single static provider is configured and serve as defaults # when multiple providers are configured. # ######################################################################################## # The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too) # When not defined the "code" response type is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type #OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"] # The response mode used (this serves as default value for discovered OPs too) # When not defined the default response mode for the requested flow (OIDCResponseType) is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode #OIDCResponseMode [fragment|query|form_post] # Only used for a single static provider has been configured, see below in OpenID Connect Provider. # Client identifier used in calls to the statically configured OpenID Connect Provider. #OIDCClientID # Only used for a single static provider has been configured, see below in OpenID Connect Provider. # Client secret used in calls to the statically configured OpenID Connect Provider. # (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token") # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the # secret. The command may be absolute or relative to the web server root. #OIDCClientSecret [ | "exec:/path/to/otherProgram argument1" ] # Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the # token endpoint of the OAuth 2.0 Authorization server. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert #OIDCClientTokenEndpointCert # Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the # Client in calls to the token endpoint of the OAuth 2.0 Authorization server. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key #OIDCClientTokenEndpointKey # Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the # Client in calls to the token endpoint of the OAuth 2.0 Authorization server. # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the password. # The command may be absolute or relative to the web server root. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd #OIDCClientTokenEndpointKeyPassword [ | "exec:/path/to/otherProgram arg1" ] # The client name that the client registers in dynamic registration with the OP. # When not defined, no client name will be sent with the registration request. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name #OIDCClientName # The contacts that the client registers in dynamic registration with the OP. # Must be formatted as e-mail addresses by specification. # Single value only; when not defined, no contact e-mail address will be sent with the registration request. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact #OIDCClientContact # The PKCE method used (this serves as default value for discovered OPs too) # When not defined S256 is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method #OIDCPKCEMethod [plain|S256|none] # (used only in dynamic client registration) # Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be # used during client registration to point to the JWK set with public keys for this client. # If not defined the default ?jwks=rsa will be used, on which a JWK set # is automatically published based on the OIDCPublicKeyFiles setting so normally you don't # need to touch this unless this client is on a (test) host that is not reachable from the internet. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri #OIDCClientJwksUri # The algorithm that the OP should use to sign the id_token. # When not defined the default that the OP should use by spec is RS256. # (ES??? algorithms only supported when using OpenSSL >= 1.0) # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg #OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] # The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token. # When not defined the default (by spec) is that the OP does not encrypt the id_token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg #OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] # The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key. # If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. # When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided. # (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc #OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] # The algorithm that the OP should use to sign the UserInfo response # When not defined the default (by spec) is that the OP does not sign the response. # (ES??? algorithms only supported when using OpenSSL >= 1.0) # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg #OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] # The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response. # When not defined the default (by spec) is that the OP does not encrypt the response. # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg #OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] # The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key # If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. # When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided. # (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc #OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] ######################################################################################## # # WARNING: # # THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED # BY A SEPARATE MODULE, SEE: https://github.com/OpenIDC/mod_oauth2 # # OAuth 2.0 Resource Server Settings # # Used when this module functions as a Resource Server against an OAuth 2.0 Authorization # Server, introspecting/validating bearer Access Tokens. # ######################################################################################## # URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server) # as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours. # If set, individual entries below will not have to be configured but can be used to add # extra entries/endpoints to settings obtained from the metadata. # If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured. #OIDCOAuthServerMetadataURL # (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation) # OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2) #OIDCOAuthIntrospectionEndpoint # Client identifier used in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthClientID # Client secret used in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthClientSecret # Authentication method for the OAuth 2.0 Authorization Server introspection endpoint, # Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret # when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post" # has been configured. # When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. # When not defined "client_secret_basic" is used. #OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ] # Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured. # Specifies a static token to be used for authorizing the call to the introspection endpoint. # If empty, the introspected token will be used for authorization as well. #OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ] # Filename that contains the PEM-formatted client certificate used to authenticate the # caller in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthIntrospectionEndpointCert # Filename that contains the PEM-formatted private key that belongs to the client certificate used # to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthIntrospectionEndpointKey # Define the HTTP method to use for the introspection call. Must be GET or POST. # When not defined the default is POST. #OIDCOAuthIntrospectionEndpointMethod [POST|GET] # Extra parameters that need to be passed in the POST request to the Introspection Endpoint. # Parameter names and values need to be provided in URL-encoded form. # When not defined no extra parameters will be passed. #OIDCOAuthIntrospectionEndpointParams =[&=]* # Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint. # When not defined the default "token" is used. #OIDCOAuthIntrospectionTokenParamName # Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since # 1970), relative (seconds from now after which the token will expire), and whether it is optional. # If the claim is optional and not found in the response, the introspection result will not be cached. # (which means that the overall performance may suffer) # # Only applies when the "active" claim is not found in the introspection response, which is interpreted as # an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom. # # When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching # Google and PingFederate's introspection behavior. #OIDCOAuthTokenExpiryClaim [absolute|relative] [mandatory|optional] # Define the interval in seconds after which a cached and introspected access token needs # to be refreshed by introspecting (and validating) it again against the Authorization Server. # (can be configured on a per-path basis) # When not defined the value is 0, which means it only expires after the `exp` (or alternative, # see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server. # When set to -1, caching of the introspection results is disabled and the token will be introspected # on each request presenting it. #OIDCOAuthTokenIntrospectionInterval # Require a valid SSL server certificate when communicating with the Authorization Server # on the token introspection endpoint. When not defined, the default value is "On". #OIDCOAuthSSLValidateServer [On|Off] # The symmetric shared key(s) that can be used for local JWT access token validation. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"]plain|b64|hex#[]# # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, no access token validation with shared keys will be performed. # Examples: # - a plaintext secret and a key identifier (kid) # plain#1#mysecret # - a base64 encoded secret, no key identifier provided # b64##AF515DE== # - a hex encoded secret, no key identifier provided # hex##ede012 #OIDCOAuthVerifySharedKeys (["sig:"|"enc:"]plain|b64|hex#[#])+ # The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public # keys that can be used for local JWT access token verification. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"][#] # and the key identifier part is required when the JWT access token contains a "kid" in its header. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, no access token validation with statically configured certificates will be performed. #OIDCOAuthVerifyCertFiles (["sig:"|"enc:"][#])+ # The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens. # When not defined local validation of JWTs can still be done using statically configured keys, # by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys. #OIDCOAuthVerifyJwksUri # The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths. # When not defined the default "sub" is used. # # An optional regular expression can be added as a 2nd parameter that will be applied to the # claim value from the 1st parameter and the first match returned from that expression will # be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ # # An optional 3rd parameter can be added that would contain string with number backrefrences. # Backrefrences must be in the form $1, $2.. etc. # E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use # ^(.*)@([^.]+)\..+$ $2\\$1 #OIDCOAuthRemoteUserClaim [] [substitution-string] # Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. # Must be one or several of: # "header" : an "Authorization: bearer" header # "post" : an HTTP Post parameter called "access_token" # "query" : as an HTTP query parameter called "access_token" # "cookie" : as a cookie header called "PA.global" or using the name specified after ":" # "basic": as a HTTP Basic Auth (RFC2617, section 2) password, with any username # When not defined the default "header" is used. #OIDCOAuthAcceptTokenAs [header|post|query|cookie[:|basic]+ ######################################################################################## # # Cookie Settings # ######################################################################################## # Define the cookie path for the "state" and "session" cookies. # When not defined the default is a server-wide "/". #OIDCCookiePath # Specify the domain for which the "state" and "session" cookies will be set. # This must match the OIDCRedirectURI and the URL on which you host your protected # application. Use the literal value of the domain name that will end up in the "Domain" # attribute value for the Set-Cookie header, no leading dot required. # Example domain- (instead of default host-)wide cookie: # OIDCCookieDomain example.org # When not defined the default is the server hostname that is currently accessed. #OIDCCookieDomain # Define the cookie name for the session cookie. # When not defined the default is "mod_auth_openidc_session". #OIDCCookie # OpenID Connect session cookie chunk size. # When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session # data needs to be stored, typically the size depends on the "scopes" of information you request. To work # around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split # over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, # If you want to prevent splitting the session cookie regardless of its size, set the value to 0. # When not defined the default chunk size is 4000 bytes #OIDCSessionCookieChunkSize # Defines whether the HttpOnly flag will be set on cookies. # When not defined the default is On. #OIDCCookieHTTPOnly [On|Off] # Defines whether the SameSite flag will be set on cookies. # When On the following will apply: # state cookie: Lax # session cookie: Lax # x_csrf discovery: Strict: # # The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be # conditionally overridden using an environment variable in the Apache config as in: # SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; # # When not defined the default is On. #OIDCCookieSameSite [On|Off] # Specify the names of cookies to pickup from the browser and send along on backchannel # calls to the OP and AS endpoints. This can be used for load-balancing purposes. # When not defined, no such cookies are sent. #OIDCPassCookies []+ # Specify the names of cookies to strip from the incoming request so they are not passed # on to the target application(s). This may prevent a large set of chunked session cookies to # be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting): # mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 # When not defined, no cookies are stripped. #OIDCStripCookies []+ # Specify the maximum number of state cookies i.e. the maximum number of parallel outstanding # authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331 # Setting this to 0 means unlimited, until the browser or server gives up which is the # behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. # # The optional second boolean parameter if the oldest state cookie(s) will be deleted, # even if still valid; see #399. # # When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted. #OIDCStateMaxNumberOfCookies [false|true] # Define the cookie prefix for the state cookie. # When not defined the default is "mod_auth_openidc_state_". #OIDCStateCookiePrefix ######################################################################################## # # Session Settings (only relevant in an OpenID Connect Relying Party setup) # ######################################################################################## # Interval in seconds after which the session will be invalidated when no interaction has occurred. # When not defined, the default is 300 seconds. #OIDCSessionInactivityTimeout # Maximum duration of the application session # When not defined the default is 8 hours (3600 * 8 seconds). # When set to 0, the session duration will be set equal to the expiry time of the ID token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration #OIDCSessionMaxDuration # OpenID Connect session storage type. # "server-cache" server-side caching storage. # "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next # A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts # instead of a session cookie that is tied to the lifetime of the browser session. # The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting. # A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored # in the session to be used as id_token_hint in a logout request to the OP later. # When not defined the default "server-cache" is used. #OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ] # Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary # cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of: # a) performance # 1) since on each subsequent request the primary cache will still be polled and # failback will happen as soon as the primary cache is available again # 2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType # b) security, since nonce's and jti's are not cached, see: OIDCCacheType # c) (prototype) functionality, since request_uri's won't work anymore # When not defined the default is "Off". #OIDCSessionCacheFallbackToCookie [On|Off] ######################################################################################## # # Cache Settings # ######################################################################################## # Cache type, used for temporary storage that is shared across Apache processes/servers for: # - authenticated user session state # - nonce values from authorization requests (to prevent replay attacks) # - validated OAuth 2.0 access tokens # - refresh tokens during their usage in a refresh token request i.e. refreshing an access token and possible the refresh token itself # - JWK sets that have been retrieved from jwk_uri's (to validate id_token, logout_token, JWT access_token and JWT userinfo response) # - resolved OP metadata when using OIDCProviderMetadataUrl and/or OIDCOAuthServerMetadataURL # - jti values from logout_token when receiving Backchannel Logout requests # - temporary state associated with Request URI's # - signed JWTs when using OIDCPassUserInfoAs signed_jwt and environment variable OIDC_USERINFO_SIGNED_JWT_CACHE_TTL # - JQ filter results when using OIDCFilterClaimsExpr and/or OIDCUserInfoClaimsExpr and/or Require claims_expr # must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\" # When not defined, "shm" (shared memory) is used. #OIDCCacheType [shm|memcache|file[|redis]] # Indicate whether data in the cache backend should be encrypted. # When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends #OIDCCacheEncrypt [On|Off] # When using OIDCCacheType "shm": # Specifies the maximum number of name/value pair entries that can be cached. # When caching a large number of entries the cache size limit may be reached and the # least recently used entry will be overwritten. If this happens within 1 hour, # errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased. # When not specified, a default of 10000 entries is used. # OIDCCacheShmMax # When using OIDCCacheType "shm": # Specifies the maximum size for a single cache entry in bytes with a minimum of 8736 bytes. # The value must a multiple of 8 bytes. # When caching large values such as numbers of attributes in a session or large metadata documents the # entry size limit may be overrun, in which case errors will be displayed in the error.log # and the OIDCCacheShmEntrySizeMax value has to be increased. # When not specified, a default entry size of 16928 bytes (16384 value + 512 key + 32 overhead) is used. # OIDCCacheShmEntrySizeMax # When using OIDCCacheType "file": # Directory that holds cache files; must be writable for the Apache process/user. # When not specified a system defined temporary directory (/tmp) will be used. #OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache # When using OIDCCacheType "file": # Cache file clean interval in seconds (only triggered on writes). # When not specified a default of 60 seconds is used. # OIDCCacheFileCleanInterval # Required when using OIDCCacheType "memcache": # Specifies the memcache servers used for caching as a space separated list of [:] tuples. #OIDCMemCacheServers "([:])+" # Minimum number of connections to each Memcache server per process. Defaults to # OIDCMemCacheConnectionsHMax. #OIDCMemCacheConnectionsMin # All connections above this limit will be closed if they have been idle for # more than OIDCMemCacheConnectionsTTL. Defaults to OIDCMemCacheConnectionsHMax. #OIDCMemCacheConnectionsSMax # Maximum number of connections to each Memcache server per process. Defaults to # ThreadsPerChild or if mod_http2 is loaded to ThreadsPerChild - 1 + H2MaxWorkers. #OIDCMemCacheConnectionsHMax # Maximum time in seconds a connection to a Memcache server can be idle before # being closed. Defaults to 60 seconds. # Only for Apache >= 2.4.x: By adding a postfix of ms, the timeout can be also # set in milliseconds. Defaults to 60 seconds. #OIDCMemCacheConnectionsTTL # Required if Redis support is compiled in and when using OIDCCacheType "redis": # Specifies the Redis server used for caching as a [:] tuple. #OIDCRedisCacheServer [:] # Password to be used if the Redis server requires authentication: http://redis.io/commands/auth # When not specified, no authentication is performed. #OIDCRedisCachePassword # Username to be used if the Redis server requires authentication: http://redis.io/commands/auth # NB: this can only used with Redis 6 (ACLs) or later # When not specified, the implicit user "default" is used #OIDCRedisCacheUsername # Logical database to select on the Redis server: https://redis.io/commands/select # When not defined the default database 0 is used. #OIDCRedisCacheDatabase # Timeout (in seconds) for connecting to the Redis servers. # An optional 2nd parameter can be supplied to set the keepalive interval (in seconds) on the # TCP connection to the Redis server. 0 disables keepalive. # NB: the interval setting only works when compiled and running with hiredis >= 1.2.0 # when compiled and running with hiredis < 1.2.0 any value > 0 will apply the default interval # When not defined the default connect timeout is 5 seconds and the default hiredis keepalive (15s) is applied. #OIDCRedisCacheConnectTimeout [0|] # Timeout waiting for a response of the Redis servers after a request was sent. # When not defined the default timeout is 5 seconds. #OIDCRedisCacheTimeout ######################################################################################## # # Advanced Settings # ######################################################################################## # Defines an external OP Discovery page. That page will be called with: # ?oidc_callback= # additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`. # # An Issuer selection can be passed back to the callback URL as in: # ?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=][&scopes=][&auth_request_params=] # where the parameter contains the URL-encoded issuer value of # the selected Provider, or a URL-encoded account name for OpenID # Connect Discovery purposes (aka. e-mail style identifier), or a domain name. # [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=&x_csrf=&method=&scopes=) # # When not defined the bare-bones internal OP Discovery page is used. #OIDCDiscoverURL # Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri # has been provided. The user is also redirected to this URL in case an invalid authorization # response was received. # The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user. #OIDCDefaultURL # Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. # When not defined and no URL was passed explicitly, a default internal page will be shown. #OIDCDefaultLoggedOutURL # Define the OpenID Connect scope(s) that is requested from the OP (eg. "admin edit") # on a per-path basis in addition to the per-provider configured scopes (OIDCScope). # Multiple scope values must be enclosed in a single pair of double quotes. # Apache expressions can be used to pass dynamic runtime determined values. # The default is to not add extra scopes. #OIDCPathScope "" # Extra parameters that will be sent along with the Authorization Request. # These must be URL-query-encoded as in: "display=popup&prompt=consent". # This can be configured on a per-path basis across all configured Providers. # One can pass on query parameters from the request to the authorization request by adding # e.g. "foo=#" which which will dynamically pull in the query parameter value from the # request query parameter and add it to the authentication request to the OP. # Apache expressions can be used to pass dynamic runtime determined values. # The default is to not add extra parameters. #OIDCPathAuthRequestParams # Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token. # When not defined the default is 600 seconds. # NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack #OIDCIDTokenIatSlack # The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables. # This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup. # When not defined, the default "OIDC_CLAIM_" is used. #OIDCClaimPrefix # The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables. # When not defined the default "," is used. #OIDCClaimDelimiter # The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths. # If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the # \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs. # When not defined the default "sub@" is used. # # An optional regular expression can be added as a 2nd parameter that will be applied to the # resulting value from the 1st parameter and the first match returned from that expression will # be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ # # An optional 3rd parameter can be added that would contain string with number backrefrences. # Backrefrences must be in the form $1, $2.. etc. # E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use # ^(.*)@([^.]+)\..+$ $2\\$1 #OIDCRemoteUserClaim [@] [] [substitution-string] # Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs. # Must be one or several of: # "claims" : the claims in the id_token are passed in individual headers/environment variables # "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable # "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable # Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly # configured to do so) and as such the header for the "serialized" option will not be set. # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. #OIDCPassIDTokenAs [claims|payload|serialized]+ # Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. # Must be one or several of: # "claims" : # the userinfo claims are passed in individual headers/environment variables # "json[: header/environment variable # "jwt[: header/environment variable # "signed_jwt[: header/environment variable # - requires OIDCPrivateKeyFiles/OIDCPublicKeyFiles set with a RSA key (RS256) or a prime256v1 Elliptic Curve key(s) (ES256), # the first RSA/EC signing key in the configured list will be used # - the "expires_in" hint from the access_token is used in the "exp" claim; defaults to 60 seconds if not returned by the OP. # - caching of the signed JWT - use with care only - can be configured using: # SetEnvIfExpr true OIDC_USERINFO_SIGNED_JWT_CACHE_TTL= # or for the duration of the - possibly processed - "exp" claim when set to "0" # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. #OIDCPassUserInfoAs [claims|json[:]|jwt[:]|signed_jwt[:]]+ # Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: process the claims # returned from the userinfo endpoint with a JQ-based expression before propagating them according # to OIDCPassUserInfoAs claims|json|signed_jwt (ie. does not work for "OIDCPassUserInfoAs jwt") # # Overwrite the default (provider) "iss" claim, and delete the default "aud" and "name" claims: # '. + { iss: "https://myissuer.com" } | del(.aud, .name)' # Add new claim with a variable value obtained from an Apache expression https://httpd.apache.org/docs/2.4/expr.html: # (be aware that when used with "OIDCPassUserInfoAs signed_jwt" it results in a cached JWT per-user/per-path) # '. + { path: "%{REQUEST_URI}" }' # Keep sub only: # '{ sub: .sub }' # Filter out all elements in the "groups" array of strings that contain "DC=Company" : # '. + { groups: (.groups - (.groups | map(select(contains("DC=Company"))))) }' # Filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* : # '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' # Can be configured on a per Directory/Location basis. When not defined no processing will be applied. #OIDCUserInfoClaimsExpr # Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: applies # a JQ filter to claims in the both the id_token and claims returned from the userinfo endpoint # before storing them in the session after applying (optional) toplevel blacklisting/whitelisting # with OIDCBlackListedClaims/OIDCWhiteListedClaims, e.g.: # filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* # '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' # whitelist only "name" and "sub" claims: # '{name, sub}' # delete "groups", "exp" and "iat" # 'del(.groups,.exp,.iat)' # When not defined no processing will be applied and all claims will be stored in the session. #OIDCFilterClaimsExpr # Define the way in which the (processed) claims and tokens are passed to the application environment: # "none": no claims/tokens are passed # "environment": claims/tokens are passed as environment variables # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) # "both": claims/tokens are passed as both headers as well as environment variables (default) # # A second parameter can be specified that defines the encodong applied to all values passed in headers # and environment variables: # "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character. # "base64url" applies base64url encoding # "none" applies no encoding and copies literal values from the claims into the headers/environment variables # When not defined the default is "both" and "latin1" encoding is applied to the header/environment values. # # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken) #OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none] # Specify the HTTP header variable name to set with the name of the authenticated user, # i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim. # When not defined no such header is added. # This setting can be configured for both the "openid-connect" and "oauth20" AuthType on # a server-wide or directory level. #OIDCAuthNHeader # Timeout in seconds for long duration HTTP calls. This defines the maximum duration that a request make take to # to complete and is used for most requests to remote endpoints/servers. # The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. # The optional parameter specifies the number of retry attempts in case of connectivity errors. # When not defined the default of 30 seconds is used, with a 10 second connect timeout, using 1 retry after # an interval of 500ms. #OIDCHTTPTimeoutLong [] [[:]] # Timeout in seconds for short duration HTTP calls. This defines the maximum duration that a request may take to # to complete and is used for Client Registration and OP Discovery requests. # The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. # The optional parameter specifies the number of retry attempts in case of connectivity errors. # When not defined the default of 5 seconds is used, with a 2 second connect timeout, using 1 retry with # an interval of 500ms. #OIDCHTTPTimeoutShort [] [[:]] # Time to live in seconds for state parameter i.e. the interval in which the authorization request # and the corresponding response need to be processed. When not defined the default of 300 seconds is used. #OIDCStateTimeout # Specify an outgoing proxy for your network. When running on a platform with a recent version of # libcurl you can also specify the network protocol, see: https://curl.se/libcurl/c/CURLOPT_PROXY.html # When not defined no outgoing proxy is used. #OIDCOutgoingProxy [://][:] [:] [basic|digest|negotiate|ntlm|any] # Defines the action to be taken when an unauthenticated request is made. # # "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. # "401" means that HTTP 401 Unauthorized is returned. # "407" means that HTTP 407 Proxy Authentication Required is returned # "410" means that HTTP 410 Gone is returned # "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already # # Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access" # # When not defined the default is "auth" with auto-detection of requests that woult not be able to complete # an authentication round trip to the OpenID Connect Provider, which would receive a 401. # The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, or # the presence of a Sec-Fetch-Mode header with a value that is not equal to "navigate", or the presence of # a Sec-Fetch-Dest header with a value that is not equal to "document" or the absence of # an "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*" # and returns 401 for such non-auth-capable requests, e.g. XML HTTP Requests, image loading requests etc. # that would create a state cookie but never return to delete it. # See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#tldr # # Only for Apache >= 2.4.x: # Since verson 2.4.4 a boolean Apache expression as the second parameter to specify which requests # need to match to return the configured value in the first parameter to override the default "auth". # See also: https://httpd.apache.org/docs/2.4/expr.html. # E.g to only return 401 for cURL based user agents and "auth" for any other browsers/user agents: # OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/" # to effectively override the default XML request detection algorithm by ignoring the Sec-Fetch-Mode, # Sec-Fetch-Dest and Accept headers: # OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'" # to return 401 for all user agents that do not send an Accept header that includes a "text/html" value: # OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#" # or as a more complex example, which equals the default XML request detection algorithm: # OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \ # || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \ # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' ) \ # || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) \ # && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \ # && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )" # To enable authentication in an iframe you need to change the Sec-Fetch-Dest part above in: # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \ # To disable auto-detection of XML HTTP request altogether and uncondtionally return "auth" for all clients: # OIDCUnAuthAction auth true # Note that actually *any* expression value in "OIDCUnAuthAction auth " will *always* render "auth" # (even when set to "false"...) because of the default, so using an value (other than "true") only # makes sense in combination with one of the values other than "auth". #OIDCUnAuthAction [auth|pass|401|407|410] [] # Defines the action to be taken when an unauthorized request is made i.e. the user is authenticated but # does not meet the `Require claim <>` directives or similar. # "401" return HTTP 401 Unauthorized with optional text message if specified in # "403" return HTTP 403 Forbidden with optional text message; NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive! # "302" redirect to the URL specified in the parameter # "auth" redirect the user to the OpenID Connect Provider or Discovery page for authentication ( is unused) # Useful in Location/Directory/Proxy path contexts that need to do stepup authentication # Be aware that this will only work in combination with a single Require statement or RequireAll, # so using RequireAny and multiple Require statements is not supported. # When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on" #OIDCUnAutzAction [401|403|302|auth] [] # Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). # This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form. # It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data. # Preservation is done via HTML 5 session storage: note that this can lead to private data exposure on shared terminals. # The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis. #OIDCPreservePost [On|Off] # POST preserve and restore templates to be used with OIDCPreservePost # template needs to contain two "%s" characters # the first for the JSON formattted POST data, the second for the URL to redirect to after preserving # template needs to contain one "%s" # which contains the (original) URL to POST the restored data to # The default is to use internal templates #OIDCPreservePostTemplates # Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "On". #OIDCPassAccessToken [On|Off] # # Indicates whether the refresh token will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "Off". #OIDCPassRefreshToken [On|Off] # Request Object/URI settings expressed as a string that is a "double-quote-escaped" JSON object. For example: # "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.openidc.com/protected/\", \"request_object_type\" : \"request\" }" # Parameters: # copy_from_request (array) : array of query parameter names copied from request # copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter # static (object) : parameter value is merged to the request object # ttl (number) : number of seconds before the request object expires (default is 30 seconds) # translates to the `exp` claim in the request object # crypto (object) : defines cryptography used to create request object # sign_alg (string) : algorithm used to sign request object (JWS alg parameter) # crypt_alg (string) : algorithm used to encrypt CEK of request object (JWE alg parameter) # crypt_enc (string) : algorithm used to encrypt request object (JWE enc parameter) # url (string) : use this url instead of redirect_uri for request_uri # request_object_type (string) : parameter used for sending authorization request object # "request_uri" (default) or "request" # NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object #OIDCRequestObject # Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir). # When not defined the default is 0 seconds, i.e. it is never refreshed. # Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day. #OIDCProviderMetadataRefreshInterval # Define the data that will be returned upon calling the info hook. # The data can be JSON formatted using ?info=json, or HTML formatted, using ?info=html. # iat (int) : Unix timestamp indicating when this data was created # access_token (string) : the access token # access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP) # id_token (object) : the claims presented in the ID token # id_token_hint (string) : the serialized ID token # userinfo (object) : the claims resolved from the UserInfo endpoint # refresh_token (string) : the refresh token (if returned by the OP) # exp (int) : the maximum session lifetime (Unix timestamp in seconds) # timeout (int) : the session inactivity timeout (Unix timestamp in seconds) # remote_user (string) : the remote user name # session (object) : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object # Note that when using ProxyPass / you may have to add a proxy exception for the Redirect URI # for this to work, e.g. ProxyPass /redirect_uri ! # When not defined the session hook will not return any data but a HTTP 404 #OIDCInfoHook [iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session]+ # Specify metrics that you wish to collect and keep in shared memory for retrieval. # Supported metrics classes are: # authtype Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc. # authn Authentication request creation and response processing. # authz Authorization errors per OIDCUnAuthzAction (per Require statement, not overall). # require.claim Match/failure count of Require claim directives (per Require statement, not overall). # provider Requests to the provider [token, userinfo, metadata] endpoints. # session Existing session processing. # cache Cache read/write timings and errors. # redirect_uri Requests to the Redirect URI, per type. # content Requests to the content handler, per type of request: info, metrics, jwks, etc. # When not defined no metrics will be recorded. #OIDCMetricsData [ authtype | authn | authz | require.claim | requests | session | cache | redirect_uri | content ]+ # Specify the path where metrics are published and can be consumed. # The format parameter can be passed to specify the format in which the collected data is returned. # format=prometheus Prometheus text-based exporter # format=json (non-standard) JSON with descriptions and names # format=status short text based status message "OK" plus optional counter (&vhost=&counter=) # format=internal internal terse JSON for debugging purposes # The default is "prometheus". # Protect protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port. # When not defined, no metrics will be published on the enclosing vhost. #OIDCMetricsPublish # Set a traceparent HTTP header on outgoing requests to the provider and proxied requests. # propagate: propagate any existing traceparent header on requests to the Provider (it's proxied as it is) # generate: generate a traceparent header, possibly overwriting an existing one # The default is to not add (or overwrite) a traceparent header. #OIDCTraceParent generate | propagate # Specify claims that should be removed from the userinfo and/or id_token before storing them in the session. # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims # When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used. #OIDCBlackListedClaims []+ # Specify claims from the userinfo and/or id_token that should be stored in the session (all other claims will be discarded). # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims # When not defined no claims are whitelisted and all claims are stored except when blacklisted with OIDCBlackListedClaims. #OIDCWhiteListedClaims []+ # Specify the minimum time-to-live for the access token stored in the OIDC session. # When the access token expiry timestamp (at least the hint given to that) is less than this value, # an attempt will be made to refresh the access token using the refresh token grant type towards the OP. # This only has an effect if a refresh token was actually returned from the OP and an "expires_in" hint # was returned as part of the authorization response and subsequent refresh token responses. # When not defined no attempt is made to refresh the access token (unless implicitly through OIDCUserInfoRefreshInterval) # The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails. # The optional authenticate_on_error flag sends the user for authentication when the refresh fails. #OIDCRefreshAccessTokenBeforeExpiry [logout_on_error | authenticate_on_error] # Defines which headers will be used as the "state" input for calculating the fingerprint of the browser # during authentication. When not defined the default "user-agent" is used. #OIDCStateInputHeaders [user-agent|x-forwarded-for|both|none] # Define one or more regular expressions that specify URLs (or domains) allowed for post logout and # other redirects such as the "return_to" value on refresh token requests, the "login_uri" value # on session management based logins through the OP iframe, and the "target_link_uri" parameter in # 3rd-party initiated logins, e.g.: # OIDCRedirectURLsAllowed ^https://www\.example\.com ^https://(\w+)\.example\.org ^https://example\.net/app # or: # OIDCRedirectURLsAllowed ^https://www\.example\.com/logout$ ^https://www\.example\.com/app/return_to$ # When not defined, the default is to match the hostname in the URL redirected to against # the hostname in the current request. #OIDCRedirectURLsAllowed []+ # Defines the value of the X-Frame-Options header returned on OIDC front-channel logout requests. # See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. # For example: # OIDCLogoutXFrameOptions: sameorigin # or: # OIDCLogoutXFrameOptions: allow-from https://provider.example.com/ # When not defined the default is "DENY". #OIDCLogoutXFrameOptions # Define the X-Forwarded-* or Forwarded headers that will be taken into account as set by a reverse proxy # in front of mod_auth_openidc. Must be one or more of: # X-Forwarded-Host # X-Forwarded-Port # X-Forwarded-Proto # Forwarded # When not defined, such headers will be ignored. #OIDCXForwardedHeaders

+ ```

Module location (find / -type f -iname mod_auth_openidc.so): /usr/lib/apache2/mod_auth_openidc.so

Trying to run docker container with oidc enabled

``` ubuntu@docker:~/freshrss-test$ docker run --rm -e OIDC_ENABLED=1 -it freshrss/freshrss:newest Enabling module auth_openidc. [Tue Mar 19 17:03:30.643018 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_PROVIDER_METADATA_URL} is not defined [Tue Mar 19 17:03:30.643051 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_ID} is not defined [Tue Mar 19 17:03:30.643056 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_SECRET} is not defined [Tue Mar 19 17:03:30.643076 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_CLIENT_CRYPTO_KEY} is not defined [Tue Mar 19 17:03:30.643081 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_REMOTE_USER_CLAIM} is not defined [Tue Mar 19 17:03:30.643091 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_SCOPES} is not defined [Tue Mar 19 17:03:30.643099 2024] [core:warn] [pid 1] AH00111: Config variable ${OIDC_X_FORWARDED_HEADERS} is not defined AH00526: Syntax error on line 22 of /etc/apache2/conf.d/FreshRSS.Apache.conf: The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED. ```

This seems to be invalid for both x86_64 and arm64.

EricDiao commented 4 months ago

It seems that OIDC support is broken on all Alpine based images regardless of architecture while the Debian based ones are fine. Tested on a x86_64 machine and the mod_auth_openidc.so module still can not be found, the same as my arm64 machine.

It seems that Alpine's package manager installs the file to /usr/lib/apache2/mod_auth_openidc.so as mentioned by @mytlogos regardless of archtecture but the config file shipped is still refer to the modules/mod_auth_openidc.so path.

I tried to force load the module in FreshRSS.Apache.conf by adding LoadModule mod_auth_openidc /usr/lib/apache2/mod_auth_openidc.so at the beginning of the file but without success. I used objdump to inspect the shared library and it seems fine. I suspect the issue has something to do with the ordering of LoadModule and IfModule: the condition check is done before the module is actually loaded? I am not very familiar with Apache2 so it can be because of I did the config wrong.

The Debian based image works on x86_64 machine. A possible workaround is to use qemu to emulate the thing on aarch64. I haven't tested this on my Oracle Cloud ARM machine yet but I doubt it will bring more subtle architectual and performance issue.

EricDiao commented 4 months ago

I tried to force load the module in FreshRSS.Apache.conf by adding LoadModule mod_auth_openidc /usr/lib/apache2/mod_auth_openidc.so at the beginning of the file but without success. I used objdump to inspect the shared library and it seems fine. I suspect the issue has something to do with the ordering of LoadModule and IfModule: the condition check is done before the module is actually loaded? I am not very familiar with Apache2 so it can be because of I did the config wrong.

It turns out that the issue with the thing not working is to do with my building system (sigh). The change is never incoperated into the image. I did get this work with the following changes on x86_64 and arm64.

It seems the root cause is the wrong shared library path. I can try come up a fix here in FreshRSS once I finish my setup. And it seems that it is a upstream bug that I can bring to attention to the Alpine maintainer.

diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
index 49411441..66087c6a 100644
--- a/Docker/FreshRSS.Apache.conf
+++ b/Docker/FreshRSS.Apache.conf
@@ -6,6 +6,8 @@ ServerTokens OS
 TraceEnable Off
 ErrorLog /dev/stderr

+LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so
+
 # For logging the original user-agent IP instead of proxy IPs:
 <IfModule mod_remoteip.c>
    # Can be disabled by setting the TRUSTED_PROXY environment variable to 0:
@@ -21,7 +23,6 @@ CustomLog "|/var/www/FreshRSS/cli/sensitive-log.sh" combined_proxy
    <IfModule !auth_openidc_module>
        Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
    </IfModule>
-
    # Workaround to be able to check whether an environment variable is set
    # See: https://serverfault.com/questions/1022233/using-ifdefine-with-environment-variables/1022234#1022234
    Define VStart "${"
EricDiao commented 4 months ago

A bug report is filed to upstream Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15999

Alkarex commented 4 months ago

Thanks for your debugging efforts 👍🏻

mytlogos commented 1 month ago

A bug report is filed to upstream Alpine: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15999

Tried another test, now that the referenced issue in alpine seems to have been fixed. It still fails for some reason...

I used the same steps, from here:

Alpine testing is only used in our https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/Dockerfile-Newest

So please try the following. Feedback or additional PR welcome:

  freshrss:
    image: freshrss/freshrss:newest
    build:
      context: https://github.com/FreshRSS/FreshRSS.git#edge
      dockerfile: Docker/Dockerfile-Newest
    ...
* https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/freshrss/docker-compose.yml

* https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/README.md#build-custom-docker-image

The MR related to the alpine issue has been merged in on 7th mai 2024. The current alpine:edge image comes from 6.6.24/7.6.24 with the version being 3.21.0_alpha20240606. The MR is already incoporated (it removes the modules/ part from the module load thingy.

mod-auth-openidc.conf.bak contents ```console /var/www/FreshRSS # ls -lah /etc/apache2/conf.d/mod-auth-openidc.conf.bak -rw-r--r-- 1 root root 69.8K May 7 03:37 /etc/apache2/conf.d/mod-auth-openidc.conf.bak /var/www/FreshRSS # cat /etc/apache2/conf.d/mod-auth-openidc.conf.bak LoadModule auth_openidc_module mod_auth_openidc.so ######################################################################################## # # Common Settings # ######################################################################################## # (Mandatory) # The redirect_uri for this OpenID Connect client; this is a vanity URL # that must ONLY point to a path on your server protected by this module # but it must NOT point to any actual content that needs to be served. # You can use a relative URL like /protected/redirect_uri if you want to # support multiple vhosts that belong to the same security domain in a dynamic way #OIDCRedirectURI https://www.example.com/protected/redirect_uri # (Mandatory) # Set a password for crypto purposes, this is used for: # - encryption of the (temporary) state cookie # - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType # Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the password, e.g: # OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\"" # (notice that the above typically only works in non-clustered environments) # The command may be absolute or relative to the web server root. # # A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase # will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined), # both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should # (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again. #OIDCCryptoPassphrase [ | "exec:/path/to/otherProgram arg1" ] [ | "exec:/path/to/otherProgram arg2" ] # # All other entries below this are optional though some may be required in a # particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party # # When using multiple OpenID Connect Providers, possibly combined with Dynamic Client # Registration and account-based OP Discovery. # Specifies the directory that holds metadata files (must be writable for the Apache process/user). # When not specified, it is assumed that we use a single statically configured provider as # described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL. #OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata ######################################################################################## # # OpenID Connect Provider # # For configuration of a single static provider, not using OpenID Connect Provider Discovery. # ######################################################################################## # URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration) # The obtained metadata will be cached and refreshed every 24 hours. # If set, individual entries below will not have to be configured but can be used to add # extra entries/endpoints to settings obtained from the metadata. # If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single # static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs. #OIDCProviderMetadataURL # OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderIssuer # OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderAuthorizationEndpoint # OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS) # i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set jwks_uri. #OIDCProviderJwksUri # OpenID Connect Provider Signed JWKS URL (e.g. https://localhost:9031/pf/JWKS) followed by the verification key set # formatted as either JWK or JWKS. The verification key set is used to verify the provided JWKs value. # Specifying multiple keys allows the OP rotate the key used for signing the JWKs. # I.e this is the URL on which the ID Token signing keys for this OP are hosted, in verifiable JWT formatting # rather than relying on TLS for authentication and integrity protection. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set signed_jwks_uri. # When defined it takes precedence over OIDCProviderJwksUri # Examples: # OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}" # OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"keys\":[{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}]}" # NB: for multi-OP setups: # the 1st parameter is not used, it needs to be set anyhow (e.g. to "") if you wish to used the 2nd parameter # the 2nd parameter is the default verification JWK for content pulled from the signed_jwks_uri for all providers and # and its can be overridden with a per-provider key in the .conf file using the key: signed_jwks_uri_key #OIDCProviderSignedJwksUri [ | ] # The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public # keys that can be used for ID Token verification. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"][#] # and the key identifier part is required when the ID Token contains a "kid" in its header. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL #OIDCProviderVerifyCertFiles (["sig:"|"enc:"][#])+ # OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2) # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderTokenEndpoint # Authentication method for the OpenID Connect Provider Token Endpoint. # When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. # When not defined the default method from the specification is used, i.e. "client_secret_basic". # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. # NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth #OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ] # Extra parameters that need to be passed in the POST request to the Token Endpoint. # Parameter names and values need to be provided in URL-encoded form. # When not defined no extra parameters will be passed. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params #OIDCProviderTokenEndpointParams =[&=]* # OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid) # When not defined no claims will be resolved from such endpoint. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderUserInfoEndpoint # OpenID OP Check Session iFrame URL, for Session Management purposes. # When not defined, no Session Management will be applied. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderCheckSessionIFrame # OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes. # When not defined, no logout to the OP will be performed. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderEndSessionEndpoint # Extra parameters that will be sent along with the Logout Request. # These must be URL-query-encoded as in: "client_id=myclient&prompt=none". # This is used against a statically configured (single) OP or serves as the default for discovered OPs. # The default is to not add extra parameters. # NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params #OIDCLogoutRequestParams # The RFC 7009 Token Revocation Endpoint URL. # When defined, the refresh token and access token stored in an OIDC session will be revoked on logout. # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderRevocationEndpoint # Define whether the OP supports OpenID Connect Back Channel Logout. # According to: https://openid.net/specs/openid-connect-backchannel-1_0.html # Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. #OIDCProviderBackChannelLogoutSupported [On|Off] # Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint. # This settings serves as a default value for multiple OPs only. # Parameter names and values need to be provided in JSON form and will be merged in to the request. # When not defined no extra parameters will be passed. # NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_json #OIDCProviderRegistrationEndpointJson # Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile"). # When not defined, the bare minimal scope "openid" is used. # NB: multiple scope values must be enclosed in a single pair of double quotes # NB: this can be overridden on a per-OP basis in the .conf file using the key: scope #OIDCScope "" # Extra parameters that will be sent along with the Authorization Request. # These must be URL-query-encoded as in: "display=popup&prompt=consent" or # specific for Google's implementation: "approval_prompt=force". # This is used against a statically configured (single) OP or serves as the default for discovered OPs. # As an alternative to this option, one may choose to add the parameters as # part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint" # in the .provider metadata (though that would not work with Discovery OPs). # # One can pass on query parameters from the request to the authorization request by adding # e.g. "foo=#" which which will dynamically pull in the query parameter value from the # request query parameter and add it to the authentication request to the OP. # # The default is to not add extra parameters. # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params #OIDCAuthRequestParams # Require a valid SSL server certificate when communicating with the OP. # (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint) # When not defined, the default value is "On". # NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server #OIDCSSLValidateServer [On|Off] # Sets the path to the CA bundle to be used by cURL # When not defined, the default bundle for libcurl is used as provided by the platform. #OIDCCABundlePath # Require configured issuer to match the issuer returned in id_token. # (Disable to support Azure AD multi-tenant applications.) # When not defined, the default value is "On". #OIDCValidateIssuer [On|Off] # The refresh interval in seconds for the claims obtained from the userinfo endpoint # When not defined the claims are retrieved only once, at session creation time. # If refreshing fails, it is assumed that the access token is expired and an attempt will be made # to refresh the access token using the refresh token grant, after which a second attempt is made # to obtain claims from the userinfo endpoint with the new access token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval # The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails. # The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails. #OIDCUserInfoRefreshInterval [ logout_on_error | authenticate_on_error ] # The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri. # When not defined the default is 3600 seconds. # NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval # NB: this refresh interval is shared with OIDCOAuthVerifyJwksUri #OIDCJWKSRefreshInterval # Defines the way in which the access token will be presented to the userinfo endpoint # "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET # "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST # When not defined the default is "authz_header". # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method #OIDCUserInfoTokenMethod [authz_header|post_param] # Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint. # "GET" means that the parameters will be passed as query parameters in an HTTP GET # "POST" means that the parameters will be passed as form-post parameters in an HTTP POST # When not defined the default is "GET". # NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method # OIDCProviderAuthRequestMethod [ GET | POST ] # The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates # that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP. # One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles. # When not defined no encryption will be requested. # You can also prefix with a JWK key identifier to manually override the automatically # generated "kid" that will be used for this key in the JWKs derived from this certificate and # published at OIDCClientJwksUri. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign) #OIDCPublicKeyFiles (["sig:"|"enc:"][#])+ # The fully qualified names of the files that contain the PEM-formatted RSA/EC private # keys that can be used to decrypt content sent to us by the OP. # These keys must correspond to the public keys defined in OIDCPublicKeyFiles. # When not defined no decryption will be possible. # NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc) #OIDCPrivateKeyFiles (["sig:"|"enc:"][#])+ ######################################################################################## # # OpenID Connect Client # # Settings used by the client in communication with the OpenID Connect Provider(s), # i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access. # These settings are used when a single static provider is configured and serve as defaults # when multiple providers are configured. # ######################################################################################## # The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too) # When not defined the "code" response type is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type #OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"] # The response mode used (this serves as default value for discovered OPs too) # When not defined the default response mode for the requested flow (OIDCResponseType) is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode #OIDCResponseMode [fragment|query|form_post] # Only used for a single static provider has been configured, see below in OpenID Connect Provider. # Client identifier used in calls to the statically configured OpenID Connect Provider. #OIDCClientID # Only used for a single static provider has been configured, see below in OpenID Connect Provider. # Client secret used in calls to the statically configured OpenID Connect Provider. # (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token") # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the # secret. The command may be absolute or relative to the web server root. #OIDCClientSecret [ | "exec:/path/to/otherProgram argument1" ] # Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the # token endpoint of the OAuth 2.0 Authorization server. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert #OIDCClientTokenEndpointCert # Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the # Client in calls to the token endpoint of the OAuth 2.0 Authorization server. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key #OIDCClientTokenEndpointKey # Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the # Client in calls to the token endpoint of the OAuth 2.0 Authorization server. # If the value begins with exec: the resulting command will be executed and the # first line returned to standard output by the program will be used as the password. # The command may be absolute or relative to the web server root. # NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd #OIDCClientTokenEndpointKeyPassword [ | "exec:/path/to/otherProgram arg1" ] # The client name that the client registers in dynamic registration with the OP. # When not defined, no client name will be sent with the registration request. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name #OIDCClientName # The contacts that the client registers in dynamic registration with the OP. # Must be formatted as e-mail addresses by specification. # Single value only; when not defined, no contact e-mail address will be sent with the registration request. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact #OIDCClientContact # The PKCE method used (this serves as default value for discovered OPs too) # When not defined S256 is used. # NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method #OIDCPKCEMethod [plain|S256|none] # (used only in dynamic client registration) # Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be # used during client registration to point to the JWK set with public keys for this client. # If not defined the default ?jwks=rsa will be used, on which a JWK set # is automatically published based on the OIDCPublicKeyFiles setting so normally you don't # need to touch this unless this client is on a (test) host that is not reachable from the internet. # NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri #OIDCClientJwksUri # The algorithm that the OP should use to sign the id_token. # When not defined the default that the OP should use by spec is RS256. # (ES??? algorithms only supported when using OpenSSL >= 1.0) # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg #OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] # The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token. # When not defined the default (by spec) is that the OP does not encrypt the id_token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg #OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] # The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key. # If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. # When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided. # (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) # NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc #OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] # The algorithm that the OP should use to sign the UserInfo response # When not defined the default (by spec) is that the OP does not sign the response. # (ES??? algorithms only supported when using OpenSSL >= 1.0) # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg #OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] # The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response. # When not defined the default (by spec) is that the OP does not encrypt the response. # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg #OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] # The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key # If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. # When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided. # (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) # NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc #OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] ######################################################################################## # # WARNING: # # THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED # BY A SEPARATE MODULE, SEE: https://github.com/OpenIDC/mod_oauth2 # # OAuth 2.0 Resource Server Settings # # Used when this module functions as a Resource Server against an OAuth 2.0 Authorization # Server, introspecting/validating bearer Access Tokens. # ######################################################################################## # URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server) # as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours. # If set, individual entries below will not have to be configured but can be used to add # extra entries/endpoints to settings obtained from the metadata. # If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured. #OIDCOAuthServerMetadataURL # (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation) # OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2) #OIDCOAuthIntrospectionEndpoint # Client identifier used in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthClientID # Client secret used in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthClientSecret # Authentication method for the OAuth 2.0 Authorization Server introspection endpoint, # Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret # when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post" # has been configured. # When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. # When not defined "client_secret_basic" is used. #OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ] # Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured. # Specifies a static token to be used for authorizing the call to the introspection endpoint. # If empty, the introspected token will be used for authorization as well. #OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ] # Filename that contains the PEM-formatted client certificate used to authenticate the # caller in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthIntrospectionEndpointCert # Filename that contains the PEM-formatted private key that belongs to the client certificate used # to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server. #OIDCOAuthIntrospectionEndpointKey # Define the HTTP method to use for the introspection call. Must be GET or POST. # When not defined the default is POST. #OIDCOAuthIntrospectionEndpointMethod [POST|GET] # Extra parameters that need to be passed in the POST request to the Introspection Endpoint. # Parameter names and values need to be provided in URL-encoded form. # When not defined no extra parameters will be passed. #OIDCOAuthIntrospectionEndpointParams =[&=]* # Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint. # When not defined the default "token" is used. #OIDCOAuthIntrospectionTokenParamName # Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since # 1970), relative (seconds from now after which the token will expire), and whether it is optional. # If the claim is optional and not found in the response, the introspection result will not be cached. # (which means that the overall performance may suffer) # # Only applies when the "active" claim is not found in the introspection response, which is interpreted as # an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom. # # When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching # Google and PingFederate's introspection behavior. #OIDCOAuthTokenExpiryClaim [absolute|relative] [mandatory|optional] # Define the interval in seconds after which a cached and introspected access token needs # to be refreshed by introspecting (and validating) it again against the Authorization Server. # (can be configured on a per-path basis) # When not defined the value is 0, which means it only expires after the `exp` (or alternative, # see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server. # When set to -1, caching of the introspection results is disabled and the token will be introspected # on each request presenting it. #OIDCOAuthTokenIntrospectionInterval # Require a valid SSL server certificate when communicating with the Authorization Server # on the token introspection endpoint. When not defined, the default value is "On". #OIDCOAuthSSLValidateServer [On|Off] # The symmetric shared key(s) that can be used for local JWT access token validation. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"]plain|b64|hex#[]# # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, no access token validation with shared keys will be performed. # Examples: # - a plaintext secret and a key identifier (kid) # plain#1#mysecret # - a base64 encoded secret, no key identifier provided # b64##AF515DE== # - a hex encoded secret, no key identifier provided # hex##ede012 #OIDCOAuthVerifySharedKeys (["sig:"|"enc:"]plain|b64|hex#[#])+ # The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public # keys that can be used for local JWT access token verification. # NB: this is one or more key tuples where a key tuple consists of: # ["sig:"|"enc:"][#] # and the key identifier part is required when the JWT access token contains a "kid" in its header. # Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. # When not defined, no access token validation with statically configured certificates will be performed. #OIDCOAuthVerifyCertFiles (["sig:"|"enc:"][#])+ # The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens. # When not defined local validation of JWTs can still be done using statically configured keys, # by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys. #OIDCOAuthVerifyJwksUri # The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths. # When not defined the default "sub" is used. # # An optional regular expression can be added as a 2nd parameter that will be applied to the # claim value from the 1st parameter and the first match returned from that expression will # be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ # # An optional 3rd parameter can be added that would contain string with number backrefrences. # Backrefrences must be in the form $1, $2.. etc. # E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use # ^(.*)@([^.]+)\..+$ $2\\$1 #OIDCOAuthRemoteUserClaim [] [substitution-string] # Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. # Must be one or several of: # "header" : an "Authorization: bearer" header # "post" : an HTTP Post parameter called "access_token" # "query" : as an HTTP query parameter called "access_token" # "cookie" : as a cookie header called "PA.global" or using the name specified after ":" # "basic": as a HTTP Basic Auth (RFC2617, section 2) password, with any username # When not defined the default "header" is used. #OIDCOAuthAcceptTokenAs [header|post|query|cookie[:|basic]+ ######################################################################################## # # Cookie Settings # ######################################################################################## # Define the cookie path for the "state" and "session" cookies. # When not defined the default is a server-wide "/". #OIDCCookiePath # Specify the domain for which the "state" and "session" cookies will be set. # This must match the OIDCRedirectURI and the URL on which you host your protected # application. Use the literal value of the domain name that will end up in the "Domain" # attribute value for the Set-Cookie header, no leading dot required. # Example domain- (instead of default host-)wide cookie: # OIDCCookieDomain example.org # When not defined the default is the server hostname that is currently accessed. #OIDCCookieDomain # Define the cookie name for the session cookie. # When not defined the default is "mod_auth_openidc_session". #OIDCCookie # OpenID Connect session cookie chunk size. # When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session # data needs to be stored, typically the size depends on the "scopes" of information you request. To work # around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split # over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, # If you want to prevent splitting the session cookie regardless of its size, set the value to 0. # When not defined the default chunk size is 4000 bytes #OIDCSessionCookieChunkSize # Defines whether the HttpOnly flag will be set on cookies. # When not defined the default is On. #OIDCCookieHTTPOnly [On|Off] # Defines whether the SameSite flag will be set on cookies. # When On the following will apply: # state cookie: Lax # session cookie: Lax # x_csrf discovery: Strict: # # The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be # conditionally overridden using an environment variable in the Apache config as in: # SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; # # When not defined the default is On. #OIDCCookieSameSite [On|Off] # Specify the names of cookies to pickup from the browser and send along on backchannel # calls to the OP and AS endpoints. This can be used for load-balancing purposes. # When not defined, no such cookies are sent. #OIDCPassCookies []+ # Specify the names of cookies to strip from the incoming request so they are not passed # on to the target application(s). This may prevent a large set of chunked session cookies to # be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting): # mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 # When not defined, no cookies are stripped. #OIDCStripCookies []+ # Specify the maximum number of state cookies i.e. the maximum number of parallel outstanding # authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331 # Setting this to 0 means unlimited, until the browser or server gives up which is the # behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. # # The optional second boolean parameter if the oldest state cookie(s) will be deleted, # even if still valid; see #399. # # When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted. #OIDCStateMaxNumberOfCookies [false|true] # Define the cookie prefix for the state cookie. # When not defined the default is "mod_auth_openidc_state_". #OIDCStateCookiePrefix ######################################################################################## # # Session Settings (only relevant in an OpenID Connect Relying Party setup) # ######################################################################################## # Interval in seconds after which the session will be invalidated when no interaction has occurred. # When not defined, the default is 300 seconds. #OIDCSessionInactivityTimeout # Maximum duration of the application session # When not defined the default is 8 hours (3600 * 8 seconds). # When set to 0, the session duration will be set equal to the expiry time of the ID token. # NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration #OIDCSessionMaxDuration # OpenID Connect session storage type. # "server-cache" server-side caching storage. # "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next # A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts # instead of a session cookie that is tied to the lifetime of the browser session. # The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting. # A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored # in the session to be used as id_token_hint in a logout request to the OP later. # When not defined the default "server-cache" is used. #OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ] # Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary # cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of: # a) performance # 1) since on each subsequent request the primary cache will still be polled and # failback will happen as soon as the primary cache is available again # 2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType # b) security, since nonce's and jti's are not cached, see: OIDCCacheType # c) (prototype) functionality, since request_uri's won't work anymore # When not defined the default is "Off". #OIDCSessionCacheFallbackToCookie [On|Off] ######################################################################################## # # Cache Settings # ######################################################################################## # Cache type, used for temporary storage that is shared across Apache processes/servers for: # - authenticated user session state # - nonce values from authorization requests (to prevent replay attacks) # - validated OAuth 2.0 access tokens # - refresh tokens during their usage in a refresh token request i.e. refreshing an access token and possible the refresh token itself # - JWK sets that have been retrieved from jwk_uri's (to validate id_token, logout_token, JWT access_token and JWT userinfo response) # - resolved OP metadata when using OIDCProviderMetadataUrl and/or OIDCOAuthServerMetadataURL # - jti values from logout_token when receiving Backchannel Logout requests # - temporary state associated with Request URI's # - signed JWTs when using OIDCPassUserInfoAs signed_jwt and environment variable OIDC_USERINFO_SIGNED_JWT_CACHE_TTL # - JQ filter results when using OIDCFilterClaimsExpr and/or OIDCUserInfoClaimsExpr and/or Require claims_expr # must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\" # When not defined, "shm" (shared memory) is used. #OIDCCacheType [shm|memcache|file[|redis]] # Indicate whether data in the cache backend should be encrypted. # When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends #OIDCCacheEncrypt [On|Off] # When using OIDCCacheType "shm": # Specifies the maximum number of name/value pair entries that can be cached. # When caching a large number of entries the cache size limit may be reached and the # least recently used entry will be overwritten. If this happens within 1 hour, # errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased. # When not specified, a default of 10000 entries is used. # OIDCCacheShmMax # When using OIDCCacheType "shm": # Specifies the maximum size for a single cache entry in bytes with a minimum of 8736 bytes. # The value must a multiple of 8 bytes. # When caching large values such as numbers of attributes in a session or large metadata documents the # entry size limit may be overrun, in which case errors will be displayed in the error.log # and the OIDCCacheShmEntrySizeMax value has to be increased. # When not specified, a default entry size of 16928 bytes (16384 value + 512 key + 32 overhead) is used. # OIDCCacheShmEntrySizeMax # When using OIDCCacheType "file": # Directory that holds cache files; must be writable for the Apache process/user. # When not specified a system defined temporary directory (/tmp) will be used. #OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache # When using OIDCCacheType "file": # Cache file clean interval in seconds (only triggered on writes). # When not specified a default of 60 seconds is used. # OIDCCacheFileCleanInterval # Required when using OIDCCacheType "memcache": # Specifies the memcache servers used for caching as a space separated list of [:] tuples. #OIDCMemCacheServers "([:])+" # Minimum number of connections to each Memcache server per process. Defaults to # OIDCMemCacheConnectionsHMax. #OIDCMemCacheConnectionsMin # All connections above this limit will be closed if they have been idle for # more than OIDCMemCacheConnectionsTTL. Defaults to OIDCMemCacheConnectionsHMax. #OIDCMemCacheConnectionsSMax # Maximum number of connections to each Memcache server per process. Defaults to # ThreadsPerChild or if mod_http2 is loaded to ThreadsPerChild - 1 + H2MaxWorkers. #OIDCMemCacheConnectionsHMax # Maximum time in seconds a connection to a Memcache server can be idle before # being closed. Defaults to 60 seconds. # Only for Apache >= 2.4.x: By adding a postfix of ms, the timeout can be also # set in milliseconds. Defaults to 60 seconds. #OIDCMemCacheConnectionsTTL # Required if Redis support is compiled in and when using OIDCCacheType "redis": # Specifies the Redis server used for caching as a [:] tuple. #OIDCRedisCacheServer [:] # Password to be used if the Redis server requires authentication: http://redis.io/commands/auth # When not specified, no authentication is performed. #OIDCRedisCachePassword # Username to be used if the Redis server requires authentication: http://redis.io/commands/auth # NB: this can only used with Redis 6 (ACLs) or later # When not specified, the implicit user "default" is used #OIDCRedisCacheUsername # Logical database to select on the Redis server: https://redis.io/commands/select # When not defined the default database 0 is used. #OIDCRedisCacheDatabase # Timeout (in seconds) for connecting to the Redis servers. # An optional 2nd parameter can be supplied to set the keepalive interval (in seconds) on the # TCP connection to the Redis server. 0 disables keepalive. # NB: the interval setting only works when compiled and running with hiredis >= 1.2.0 # when compiled and running with hiredis < 1.2.0 any value > 0 will apply the default interval # When not defined the default connect timeout is 5 seconds and the default hiredis keepalive (15s) is applied. #OIDCRedisCacheConnectTimeout [0|] # Timeout waiting for a response of the Redis servers after a request was sent. # When not defined the default timeout is 5 seconds. #OIDCRedisCacheTimeout ######################################################################################## # # Advanced Settings # ######################################################################################## # Defines an external OP Discovery page. That page will be called with: # ?oidc_callback= # additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`. # # An Issuer selection can be passed back to the callback URL as in: # ?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=][&scopes=][&auth_request_params=] # where the parameter contains the URL-encoded issuer value of # the selected Provider, or a URL-encoded account name for OpenID # Connect Discovery purposes (aka. e-mail style identifier), or a domain name. # [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=&x_csrf=&method=&scopes=) # # When not defined the bare-bones internal OP Discovery page is used. #OIDCDiscoverURL # Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri # has been provided. The user is also redirected to this URL in case an invalid authorization # response was received. # The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user. #OIDCDefaultURL # Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. # When not defined and no URL was passed explicitly, a default internal page will be shown. #OIDCDefaultLoggedOutURL # Define the OpenID Connect scope(s) that is requested from the OP (eg. "admin edit") # on a per-path basis in addition to the per-provider configured scopes (OIDCScope). # Multiple scope values must be enclosed in a single pair of double quotes. # Apache expressions can be used to pass dynamic runtime determined values. # The default is to not add extra scopes. #OIDCPathScope "" # Extra parameters that will be sent along with the Authorization Request. # These must be URL-query-encoded as in: "display=popup&prompt=consent". # This can be configured on a per-path basis across all configured Providers. # One can pass on query parameters from the request to the authorization request by adding # e.g. "foo=#" which which will dynamically pull in the query parameter value from the # request query parameter and add it to the authentication request to the OP. # Apache expressions can be used to pass dynamic runtime determined values. # The default is to not add extra parameters. #OIDCPathAuthRequestParams # Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token. # When not defined the default is 600 seconds. # NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack #OIDCIDTokenIatSlack # The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables. # This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup. # When not defined, the default "OIDC_CLAIM_" is used. #OIDCClaimPrefix # The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables. # When not defined the default "," is used. #OIDCClaimDelimiter # The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths. # If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the # \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs. # When not defined the default "sub@" is used. # # An optional regular expression can be added as a 2nd parameter that will be applied to the # resulting value from the 1st parameter and the first match returned from that expression will # be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ # # An optional 3rd parameter can be added that would contain string with number backrefrences. # Backrefrences must be in the form $1, $2.. etc. # E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use # ^(.*)@([^.]+)\..+$ $2\\$1 #OIDCRemoteUserClaim [@] [] [substitution-string] # Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs. # Must be one or several of: # "claims" : the claims in the id_token are passed in individual headers/environment variables # "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable # "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable # Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly # configured to do so) and as such the header for the "serialized" option will not be set. # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. #OIDCPassIDTokenAs [claims|payload|serialized]+ # Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. # Must be one or several of: # "claims" : # the userinfo claims are passed in individual headers/environment variables # "json[: header/environment variable # "jwt[: header/environment variable # "signed_jwt[: header/environment variable # - requires OIDCPrivateKeyFiles/OIDCPublicKeyFiles set with a RSA key (RS256) or a prime256v1 Elliptic Curve key(s) (ES256), # the first RSA/EC signing key in the configured list will be used # - the "expires_in" hint from the access_token is used in the "exp" claim; defaults to 60 seconds if not returned by the OP. # - caching of the signed JWT - use with care only - can be configured using: # SetEnvIfExpr true OIDC_USERINFO_SIGNED_JWT_CACHE_TTL= # or for the duration of the - possibly processed - "exp" claim when set to "0" # Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. #OIDCPassUserInfoAs [claims|json[:]|jwt[:]|signed_jwt[:]]+ # Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: process the claims # returned from the userinfo endpoint with a JQ-based expression before propagating them according # to OIDCPassUserInfoAs claims|json|signed_jwt (ie. does not work for "OIDCPassUserInfoAs jwt") # # Overwrite the default (provider) "iss" claim, and delete the default "aud" and "name" claims: # '. + { iss: "https://myissuer.com" } | del(.aud, .name)' # Add new claim with a variable value obtained from an Apache expression https://httpd.apache.org/docs/2.4/expr.html: # (be aware that when used with "OIDCPassUserInfoAs signed_jwt" it results in a cached JWT per-user/per-path) # '. + { path: "%{REQUEST_URI}" }' # Keep sub only: # '{ sub: .sub }' # Filter out all elements in the "groups" array of strings that contain "DC=Company" : # '. + { groups: (.groups - (.groups | map(select(contains("DC=Company"))))) }' # Filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* : # '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' # Can be configured on a per Directory/Location basis. When not defined no processing will be applied. #OIDCUserInfoClaimsExpr # Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: applies # a JQ filter to claims in the both the id_token and claims returned from the userinfo endpoint # before storing them in the session after applying (optional) toplevel blacklisting/whitelisting # with OIDCBlackListedClaims/OIDCWhiteListedClaims, e.g.: # filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* # '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' # whitelist only "name" and "sub" claims: # '{name, sub}' # delete "groups", "exp" and "iat" # 'del(.groups,.exp,.iat)' # When not defined no processing will be applied and all claims will be stored in the session. #OIDCFilterClaimsExpr # Define the way in which the (processed) claims and tokens are passed to the application environment: # "none": no claims/tokens are passed # "environment": claims/tokens are passed as environment variables # "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) # "both": claims/tokens are passed as both headers as well as environment variables (default) # # A second parameter can be specified that defines the encodong applied to all values passed in headers # and environment variables: # "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character. # "base64url" applies base64url encoding # "none" applies no encoding and copies literal values from the claims into the headers/environment variables # When not defined the default is "both" and "latin1" encoding is applied to the header/environment values. # # The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. # The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken) #OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none] # Specify the HTTP header variable name to set with the name of the authenticated user, # i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim. # When not defined no such header is added. # This setting can be configured for both the "openid-connect" and "oauth20" AuthType on # a server-wide or directory level. #OIDCAuthNHeader # Timeout in seconds for long duration HTTP calls. This defines the maximum duration that a request make take to # to complete and is used for most requests to remote endpoints/servers. # The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. # The optional parameter specifies the number of retry attempts in case of connectivity errors. # When not defined the default of 30 seconds is used, with a 10 second connect timeout, using 1 retry after # an interval of 500ms. #OIDCHTTPTimeoutLong [] [[:]] # Timeout in seconds for short duration HTTP calls. This defines the maximum duration that a request may take to # to complete and is used for Client Registration and OP Discovery requests. # The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. # The optional parameter specifies the number of retry attempts in case of connectivity errors. # When not defined the default of 5 seconds is used, with a 2 second connect timeout, using 1 retry with # an interval of 500ms. #OIDCHTTPTimeoutShort [] [[:]] # Time to live in seconds for state parameter i.e. the interval in which the authorization request # and the corresponding response need to be processed. When not defined the default of 300 seconds is used. #OIDCStateTimeout # Specify an outgoing proxy for your network. When running on a platform with a recent version of # libcurl you can also specify the network protocol, see: https://curl.se/libcurl/c/CURLOPT_PROXY.html # When not defined no outgoing proxy is used. #OIDCOutgoingProxy [://][:] [:] [basic|digest|negotiate|ntlm|any] # Defines the action to be taken when an unauthenticated request is made. # # "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. # "401" means that HTTP 401 Unauthorized is returned. # "407" means that HTTP 407 Proxy Authentication Required is returned # "410" means that HTTP 410 Gone is returned # "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already # # Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access" # # When not defined the default is "auth" with auto-detection of requests that woult not be able to complete # an authentication round trip to the OpenID Connect Provider, which would receive a 401. # The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, or # the presence of a Sec-Fetch-Mode header with a value that is not equal to "navigate", or the presence of # a Sec-Fetch-Dest header with a value that is not equal to "document" or the absence of # an "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*" # and returns 401 for such non-auth-capable requests, e.g. XML HTTP Requests, image loading requests etc. # that would create a state cookie but never return to delete it. # See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#tldr # # Only for Apache >= 2.4.x: # Since verson 2.4.4 a boolean Apache expression as the second parameter to specify which requests # need to match to return the configured value in the first parameter to override the default "auth". # See also: https://httpd.apache.org/docs/2.4/expr.html. # E.g to only return 401 for cURL based user agents and "auth" for any other browsers/user agents: # OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/" # to effectively override the default XML request detection algorithm by ignoring the Sec-Fetch-Mode, # Sec-Fetch-Dest and Accept headers: # OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'" # to return 401 for all user agents that do not send an Accept header that includes a "text/html" value: # OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#" # or as a more complex example, which equals the default XML request detection algorithm: # OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \ # || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \ # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' ) \ # || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) \ # && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \ # && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )" # To enable authentication in an iframe you need to change the Sec-Fetch-Dest part above in: # || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \ # To disable auto-detection of XML HTTP request altogether and uncondtionally return "auth" for all clients: # OIDCUnAuthAction auth true # Note that actually *any* expression value in "OIDCUnAuthAction auth " will *always* render "auth" # (even when set to "false"...) because of the default, so using an value (other than "true") only # makes sense in combination with one of the values other than "auth". #OIDCUnAuthAction [auth|pass|401|407|410] [] # Defines the action to be taken when an unauthorized request is made i.e. the user is authenticated but # does not meet the `Require claim <>` directives or similar. # "401" return HTTP 401 Unauthorized with optional text message if specified in # "403" return HTTP 403 Forbidden with optional text message; NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive! # "302" redirect to the URL specified in the parameter # "auth" redirect the user to the OpenID Connect Provider or Discovery page for authentication ( is unused) # Useful in Location/Directory/Proxy path contexts that need to do stepup authentication # Be aware that this will only work in combination with a single Require statement or RequireAll, # so using RequireAny and multiple Require statements is not supported. # When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on" #OIDCUnAutzAction [401|403|302|auth] [] # Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). # This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form. # It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data. # Preservation is done via HTML 5 session storage: note that this can lead to private data exposure on shared terminals. # The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis. #OIDCPreservePost [On|Off] # POST preserve and restore templates to be used with OIDCPreservePost # template needs to contain two "%s" characters # the first for the JSON formattted POST data, the second for the URL to redirect to after preserving # template needs to contain one "%s" # which contains the (original) URL to POST the restored data to # The default is to use internal templates #OIDCPreservePostTemplates # Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "On". #OIDCPassAccessToken [On|Off] # # Indicates whether the refresh token will be passed to the application in a header/environment variable, according # to the OIDCPassClaimsAs directive. # Can be configured on a per Directory/Location basis. The default is "Off". #OIDCPassRefreshToken [On|Off] # Request Object/URI settings expressed as a string that is a "double-quote-escaped" JSON object. For example: # "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.openidc.com/protected/\", \"request_object_type\" : \"request\" }" # Parameters: # copy_from_request (array) : array of query parameter names copied from request # copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter # static (object) : parameter value is merged to the request object # ttl (number) : number of seconds before the request object expires (default is 30 seconds) # translates to the `exp` claim in the request object # crypto (object) : defines cryptography used to create request object # sign_alg (string) : algorithm used to sign request object (JWS alg parameter) # crypt_alg (string) : algorithm used to encrypt CEK of request object (JWE alg parameter) # crypt_enc (string) : algorithm used to encrypt request object (JWE enc parameter) # url (string) : use this url instead of redirect_uri for request_uri # request_object_type (string) : parameter used for sending authorization request object # "request_uri" (default) or "request" # NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object #OIDCRequestObject # Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir). # When not defined the default is 0 seconds, i.e. it is never refreshed. # Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day. #OIDCProviderMetadataRefreshInterval # Define the data that will be returned upon calling the info hook. # The data can be JSON formatted using ?info=json, or HTML formatted, using ?info=html. # iat (int) : Unix timestamp indicating when this data was created # access_token (string) : the access token # access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP) # id_token (object) : the claims presented in the ID token # id_token_hint (string) : the serialized ID token # userinfo (object) : the claims resolved from the UserInfo endpoint # refresh_token (string) : the refresh token (if returned by the OP) # exp (int) : the maximum session lifetime (Unix timestamp in seconds) # timeout (int) : the session inactivity timeout (Unix timestamp in seconds) # remote_user (string) : the remote user name # session (object) : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object # Note that when using ProxyPass / you may have to add a proxy exception for the Redirect URI # for this to work, e.g. ProxyPass /redirect_uri ! # When not defined the session hook will not return any data but a HTTP 404 #OIDCInfoHook [iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session]+ # Specify metrics that you wish to collect and keep in shared memory for retrieval. # Supported metrics classes are: # authtype Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc. # authn Authentication request creation and response processing. # authz Authorization errors per OIDCUnAuthzAction (per Require statement, not overall). # require.claim Match/failure count of Require claim directives (per Require statement, not overall). # provider Requests to the provider [token, userinfo, metadata] endpoints. # session Existing session processing. # cache Cache read/write timings and errors. # redirect_uri Requests to the Redirect URI, per type. # content Requests to the content handler, per type of request: info, metrics, jwks, etc. # When not defined no metrics will be recorded. #OIDCMetricsData [ authtype | authn | authz | require.claim | requests | session | cache | redirect_uri | content ]+ # Specify the path where metrics are published and can be consumed. # The format parameter can be passed to specify the format in which the collected data is returned. # format=prometheus Prometheus text-based exporter # format=json (non-standard) JSON with descriptions and names # format=status short text based status message "OK" plus optional counter (&vhost=&counter=) # format=internal internal terse JSON for debugging purposes # The default is "prometheus". # Protect protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port. # When not defined, no metrics will be published on the enclosing vhost. #OIDCMetricsPublish # Set a traceparent HTTP header on outgoing requests to the provider and proxied requests. # propagate: propagate any existing traceparent header on requests to the Provider (it's proxied as it is) # generate: generate a traceparent header, possibly overwriting an existing one # The default is to not add (or overwrite) a traceparent header. #OIDCTraceParent generate | propagate # Specify claims that should be removed from the userinfo and/or id_token before storing them in the session. # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims # When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used. #OIDCBlackListedClaims []+ # Specify claims from the userinfo and/or id_token that should be stored in the session (all other claims will be discarded). # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims # When not defined no claims are whitelisted and all claims are stored except when blacklisted with OIDCBlackListedClaims. #OIDCWhiteListedClaims []+ # Specify the minimum time-to-live for the access token stored in the OIDC session. # When the access token expiry timestamp (at least the hint given to that) is less than this value, # an attempt will be made to refresh the access token using the refresh token grant type towards the OP. # This only has an effect if a refresh token was actually returned from the OP and an "expires_in" hint # was returned as part of the authorization response and subsequent refresh token responses. # When not defined no attempt is made to refresh the access token (unless implicitly through OIDCUserInfoRefreshInterval) # The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails. # The optional authenticate_on_error flag sends the user for authentication when the refresh fails. #OIDCRefreshAccessTokenBeforeExpiry [logout_on_error | authenticate_on_error] # Defines which headers will be used as the "state" input for calculating the fingerprint of the browser # during authentication. When not defined the default "user-agent" is used. #OIDCStateInputHeaders [user-agent|x-forwarded-for|both|none] # Define one or more regular expressions that specify URLs (or domains) allowed for post logout and # other redirects such as the "return_to" value on refresh token requests, the "login_uri" value # on session management based logins through the OP iframe, and the "target_link_uri" parameter in # 3rd-party initiated logins, e.g.: # OIDCRedirectURLsAllowed ^https://www\.example\.com ^https://(\w+)\.example\.org ^https://example\.net/app # or: # OIDCRedirectURLsAllowed ^https://www\.example\.com/logout$ ^https://www\.example\.com/app/return_to$ # When not defined, the default is to match the hostname in the URL redirected to against # the hostname in the current request. #OIDCRedirectURLsAllowed []+ # Defines the value of the X-Frame-Options header returned on OIDC front-channel logout requests. # See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. # For example: # OIDCLogoutXFrameOptions: sameorigin # or: # OIDCLogoutXFrameOptions: allow-from https://provider.example.com/ # When not defined the default is "DENY". #OIDCLogoutXFrameOptions # Define the X-Forwarded-* or Forwarded headers that will be taken into account as set by a reverse proxy # in front of mod_auth_openidc. Must be one or more of: # X-Forwarded-Host # X-Forwarded-Port # X-Forwarded-Proto # Forwarded # When not defined, such headers will be ignored. #OIDCXForwardedHeaders
+ ```
docker-compose.yml ```yaml --- services: freshrss: image: freshrss/freshrss:newest build: context: https://github.com/FreshRSS/FreshRSS.git#edge dockerfile: Docker/Dockerfile-Newest environment: - PUID=1000 - PGID=1000 - TZ=Europe/Berlin - OIDC_ENABLED=1 volumes: - ./data:/config ports: - 127.0.0.1:18008:80 restart: unless-stopped ```

Build Command: docker compose build --no-cache --pull

When i start the compose project, the logs show that it again fails:

docker compose logs ``` freshrss-1 | Enabling module auth_openidc. freshrss-1 | [Mon Jul 29 17:50:15.999657 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_PROVIDER_METADATA_URL} is not defined freshrss-1 | [Mon Jul 29 17:50:15.999750 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_CLIENT_ID} is not defined freshrss-1 | [Mon Jul 29 17:50:15.999759 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_CLIENT_SECRET} is not defined freshrss-1 | [Mon Jul 29 17:50:15.999768 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_CLIENT_CRYPTO_KEY} is not defined freshrss-1 | [Mon Jul 29 17:50:15.999775 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_REMOTE_USER_CLAIM} is not defined freshrss-1 | [Mon Jul 29 17:50:15.999793 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_SCOPES} is not defined freshrss-1 | [Mon Jul 29 17:50:15.999810 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_X_FORWARDED_HEADERS} is not defined freshrss-1 | httpd: Syntax error on line 482 of /etc/apache2/httpd.conf: Syntax error on line 1 of /etc/apache2/conf.d/mod-auth-openidc.conf: Cannot load mod_auth_openidc.so into server: Error loading shared library mod_auth_openidc.so: No such file or directory freshrss-1 | mv: can't rename '/etc/apache2/conf.d/mod-auth-openidc.conf.bak': No such file or directory freshrss-1 | [Mon Jul 29 17:50:17.380962 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_PROVIDER_METADATA_URL} is not defined freshrss-1 | [Mon Jul 29 17:50:17.381073 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_CLIENT_ID} is not defined freshrss-1 | [Mon Jul 29 17:50:17.381101 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_CLIENT_SECRET} is not defined freshrss-1 | [Mon Jul 29 17:50:17.381110 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_CLIENT_CRYPTO_KEY} is not defined freshrss-1 | [Mon Jul 29 17:50:17.381121 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_REMOTE_USER_CLAIM} is not defined freshrss-1 | [Mon Jul 29 17:50:17.381863 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_SCOPES} is not defined freshrss-1 | [Mon Jul 29 17:50:17.382174 2024] [core:warn] [pid 1:tid 1] AH00111: Config variable ${OIDC_X_FORWARDED_HEADERS} is not defined freshrss-1 | httpd: Syntax error on line 482 of /etc/apache2/httpd.conf: Syntax error on line 1 of /etc/apache2/conf.d/mod-auth-openidc.conf: Cannot load mod_auth_openidc.so into server: Error loading shared library mod_auth_openidc.so: No such file or directory ```

The openidc module is still at the same location: docker run -it --rm freshrss/freshrss:newest find / -type f -iname mod_auth_openidc.so: /usr/lib/apache2/mod_auth_openidc.so

Did i do something wrong or why is this still happening?

OS: Raspberry PI OS (Debian 12) Model: Raspberry Pi 4 Docker: 27.1.1

Alkarex commented 1 month ago

@mytlogos Thanks for the tests 👍🏻

You should provide the environment variables such as OIDC_PROVIDER_METADATA_URL in your docker-compose.

But this is not the main error, which seems indeed to be Syntax error on line 1 of /etc/apache2/conf.d/mod-auth-openidc.conf: Cannot load mod_auth_openidc.so into server: Error loading shared library mod_auth_openidc.so: No such file or directory

I do not know why this still seems to fail, but additional debugging welcome. It could be interesting to replace loading line with the full path to check whether it makes any difference: LoadModule auth_openidc_module /usr/lib/apache2/mod_auth_openidc.so. I suspect another problem, though