OIDC with Apache and mod_auth_openidc

We recommend using OpenID certified implementations: https://openid.net/certification/

Example configuration for mod_auth_openidc

https://github.com/OpenIDC/mod_auth_openidc

You may protect /secure loaction in Apache with the following configuration: 

LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCClientID <client_id_from_sp_registry>
OIDCClientSecret <client_secret_from_sp_registry>
OIDCProviderMetadataURL https://login.helsinki.fi/.well-known/openid-configuration
OIDCProviderIssuer https://login.helsinki.fi
OIDCRedirectURI <service redirect URI which must be included to SP-registry, i.e. https://example.org/secure/redirect_uri>
OIDCCryptoPassphrase <random passphrase for cookies e.g.>
OIDCScope "openid email"
<Location /secure>
    AuthType openid-connect
    Require valid-user
</Location>

Getting user information with claims

If you want to get specific user attributes, you must request them as claims. Requested claims may differ for userinfo endpoint and ID token.

{ "userinfo": { "uid": null, }, "id_token": { "given_name": null, "family_name": null, } }

For mod_auth_oidc, requested claims are URL-encoded.:

OIDCAuthRequestParams claims=%7B%0A%20%20%22userinfo%22%3A%20%7B%0A%20%20%20%20%22uid%22%3A%20null%2C%0A%20%20%7D%2C%0A%20%20%22id_token%22%3A%20%7B%0A%20%20%20%20%22given_name%22%3A%20null%2C%0A%20%20%20%20%22family_name%22%3A%20null%2C%0A%20%20%7D%0A%7D

Read more from: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter

SP-registry settings

Technical attributes required for this configuration:

• Grant types: authorization_code
• Response types: code
• OIDC scopes: email
• Application type: web
• Subject identifier: public or pairwise
• Token endpoint authentication method: client_secret_basic

Testing with InfoHook

You can define InfoHook test address where user can see their own information: <redirect_uri>?info=json

OIDCInfoHook iat access_token access_token_expires id_token userinfo refresh_token session