Authenticating with the apache plugin mod_auth_openidc and Feide¶
Apache virtual host configuration:
<Location />
.
.
AuthType openid-connect
Require valid-user
</Location>
<Location /oidc>
SetHandler none
AuthType openid-connect
Require valid-user
</Location>
<Location /index/logout>
AuthType None
Require all granted
</Location>
<Location /about>
AuthType None
Require all granted
</Location>
<Location /refresh_session>
AuthType None
Require all granted
</Location>
<Location /api>
AuthType None
Require all granted
</Location>
<Location /doc>
AuthType None
Require all granted
</Location>
OIDCProviderMetadataURL https://auth.dataporten.no/.well-known/openid-configuration
OIDCClientID XXX
OIDCClientSecret YYY
OIDCRedirectURI ZZZ/oidc/
OIDCCryptoPassphrase LONGRANDOMSTRING
OIDCOAuthRemoteUserClaim "dataporten-userid_sec"
OIDCScope "userid userid-feide openid"
Note the first location block, where two lines need be added to what is already there. This locks down the entire site. We haven’t found a way with this plugin to do it any other way.
The second location block just needs to be a url that is not in use by anything else, this is used by the plugin as its edndpoint.
The third location block is the url the plugin redirects to after logout.
The remaining location blocks are either public urls (/doc
, /about
),
parts of NAV that has its own authentication system (/api
), or must not be
under the control of the plugin for the web frontend to correctly function
(/refresh_session
).
In the lines that configure the plugin, XXX and YYY is generated by
Feide at its dashboard. ZZZ is the
domain name of the NAV instance, suffixed with the plugin’s magic endpoint url.
The entire url needs to be registered at the Feide dashboard as a redirect URI
under Basic info. Under Permissions, the scopes mentioned under
OIDCScope
must be accepted.
LONGRANDOMSTRING is a long, random string without whitespace that can be
generated by anything.
webfront.conf
:
[remote-user]
enabled = yes
varname = HTTP_OIDC_CLAIM_DATAPORTEN_USERID_SEC
logout-url = /oidc/?logout=
workaround = feide-oidc
“oidc” in the logout-url
is the same url as the oidc
-block in the
apache configuration and the redirect URI in the Feide dashboard.