openidc / mod_sts Goto Github PK
View Code? Open in Web Editor NEWSecurity Token Exchange Client module for the Apache HTTPd webserver
License: GNU Affero General Public License v3.0
Security Token Exchange Client module for the Apache HTTPd webserver
License: GNU Affero General Public License v3.0
Hello,
I am trying to enable mod_sts
for apache with mod_oidc
.
For now I have the following config in apache for OIDC :
OIDCClientID 'xxxxxxxxxx'
OIDCPublicKeyFiles xxxxxxxxxx#/xxxxxxxxxx/client_sign.pem xxxxxxxxxx#/xxxxxxxxxx/client_enc.pem
OIDCPrivateKeyFiles xxxxxxxxxx#/xxxxxxxxxx/client_sign.key xxxxxxxxxx#/xxxxxxxxxx/client_enc.key
OIDCProviderMetadataURL https://xxxxxx/auth/realms/xxxxx/.well-known/openid-configuration
OIDCProviderTokenEndpointAuth private_key_jwt
OIDCCryptoPassphrase 'xxxxxx'
OIDCRedirectURI https://xxxxx/redirect_uri
OIDCSSLValidateServer On
OIDCUserInfoSignedResponseAlg RS256
OIDCIDTokenSignedResponseAlg RS256
OIDCIDTokenEncryptedResponseEnc A256GCM
OIDCIDTokenEncryptedResponseAlg RSA-OAEP
OIDCIDTokenIatSlack 60
OIDCStateTimeout 30
OIDCPassRefreshToken On
OIDCRemoteUserClaim preferred_username
OIDCScope "openid email profile"
<Location "/oidc/jwks.json">
Alias /xxxxxxxxxx/jwks.json
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
# Replace OIDC location
<Location "/">
LogLevel sts:debug
AuthType openid-connect
Require valid-user
SetEnvIf OIDC_access_token "(.+)" access_token=$1
STSExchange otx https://xxxxxxxxxx/auth/realms/xxxxxxxxxx/protocol/openid-connect/token \
auth=private_key_jwt&\
client_id=xxxxxxxxxx&\
jwk=JWKKEY&\
aud=https://xxxxxxxxxx/auth/realms/xxxxxxxxxx
</Location>
In my apache log i get the following :
<snip>
[Fri Apr 09 09:12:31.062683 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_CLAIM_nonce: xxxxxxxxxx
[Fri Apr 09 09:12:31.062694 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_CLAIM_session_state: xxxxxxxxxx
[Fri Apr 09 09:12:31.062706 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_CLAIM_at_hash: xxxxxxxxxx
[Fri Apr 09 09:12:31.062719 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_CLAIM_acr: 0
[Fri Apr 09 09:12:31.062761 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_refresh_token: xxxxxxxxxx
[Fri Apr 09 09:12:31.062809 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_access_token: xxxxxxxxxx
[Fri Apr 09 09:12:31.062858 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: OIDC_access_token_expires: 1617989756
[Fri Apr 09 09:12:31.062873 2021] [sts:debug] [pid 66] src/http.c(158): [client 1.2.3.4:58854] _oauth2_http_request_header_set_add_sanitized: REMOTE_USER: xxxxxxxxxx
[Fri Apr 09 09:12:31.062884 2021] [sts:debug] [pid 66] src/server/apache.c(280): [client 1.2.3.4:58854] oauth2_apache_request_context_init: created request context: 0x56189d8b7bb0
[Fri Apr 09 09:12:31.062896 2021] [sts:debug] [pid 66] src/mod_sts.c(52): [client 1.2.3.4:58854] sts_check_access_handler: enter: "/?(null)", ap_is_initial_req(r)=1
[Fri Apr 09 09:12:31.062905 2021] [sts:debug] [pid 66] src/liboauth2-sts/src/sts.c(704): [client 1.2.3.4:58854] sts_request_handler: enter
[Fri Apr 09 09:12:31.062924 2021] [sts:debug] [pid 66] src/proto.c(212): [client 1.2.3.4:58854] _oauth2_get_source_token_from_envvar: enter
[Fri Apr 09 09:12:31.062934 2021] [sts:debug] [pid 66] src/server/apache.c(491): [client 1.2.3.4:58854] oauth2_apache_get_envvar: get environment variable: access_token
[Fri Apr 09 09:12:31.062944 2021] [sts:debug] [pid 66] src/proto.c(226): [client 1.2.3.4:58854] _oauth2_get_source_token_from_envvar: no source token found in access_token environment variable
Do you have any idea to rename the OIDC_access_token variable as access_token variable ?
Hey!
Can you please tell me if there is some way to invalidate cache entry on demand?
Maybe, for example, via webhook/endpoint like it's mentioned here?
OpenIDC/mod_auth_openidc#177
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.