===================================================================================================================
Authenticating with the apache plugin `mod_auth_openidc <https://github.com/zmartzone/mod_auth_openidc>`_ and Feide
===================================================================================================================

Apache virtual host configuration::

    <Location />
        .
        .

        AuthType openid-connect
        Require valid-user
    </Location>

    <Location /oidc>
        SetHandler none
        AuthType openid-connect
        Require valid-user
    </Location>

    <Location /index/logout>
        AuthType None
        Require all granted
    </Location>

    <Location /about>
        AuthType None
        Require all granted
    </Location>

    <Location /refresh_session>
        AuthType None
        Require all granted
    </Location>

    <Location /api>
        AuthType None
        Require all granted
    </Location>

    <Location /doc>
        AuthType None
        Require all granted
    </Location>

    OIDCProviderMetadataURL https://auth.dataporten.no/.well-known/openid-configuration
    OIDCClientID XXX
    OIDCClientSecret YYY
    OIDCRedirectURI ZZZ/oidc/
    OIDCCryptoPassphrase LONGRANDOMSTRING
    OIDCOAuthRemoteUserClaim "dataporten-userid_sec"
    OIDCScope "userid userid-feide openid"

Note the first location block, where two lines need be added to what is already
there. This locks down the entire site. We haven't found a way with this plugin
to do it any other way.

The second location block just needs to be a url that is not in use by
anything else, this is used by the plugin as its edndpoint.

The third location block is the url the plugin redirects to after logout.

The remaining location blocks are either public urls (``/doc``, ``/about``),
parts of NAV that has its own authentication system (``/api``), or must not be
under the control of the plugin for the web frontend to correctly function
(``/refresh_session``).

In the lines that configure the plugin, **XXX** and **YYY** is generated by
`Feide at its dashboard <https://dashboard.dataporten.no>`_. **ZZZ** is the
domain name of the NAV instance, suffixed with the plugin's magic endpoint url.
The entire url needs to be registered at the Feide dashboard as a redirect URI
under *Basic info*. Under *Permissions*, the scopes mentioned under
``OIDCScope`` must be accepted.
**LONGRANDOMSTRING** is a long, random string without whitespace that can be
generated by anything.

``webfront.conf``::

    [remote-user]
    enabled = yes
    varname = HTTP_OIDC_CLAIM_DATAPORTEN_USERID_SEC
    logout-url = /oidc/?logout=
    workaround = feide-oidc

"oidc" in the ``logout-url`` is the same url as the ``oidc``-block in the
apache configuration and the redirect URI in the Feide dashboard.