Authenticating with the apache plugin mod_auth_openidc and Feide¶
Enabling the plugin on Debian¶
First check if the plugin is already installed and enabled:
$ sudo apache2ctl -M | grep openid auth_openidc_module (shared)
If it is, go straight to `Configuration`_.
Install the plugin:
$ sudo apt install libapache2-mod-auth-openidc
This should create the following files:
/etc/apache2/mods-available/auth_openidc.conf /etc/apache2/mods-available/auth_openidc.load /etc/apache2/mods-enabled/auth_openidc.conf /etc/apache2/mods-enabled/auth_openidc.load
$ sudo a2enmod auth_openidc
$ sudo a2dismod auth_openidc
Feide Kundeportal configuration¶
You will need to ask somebody with the correct access-rights at Feide kundeportal for your organization to create an OpenID Connect-configuration. Configurations are locked to a specific NAV domain name and user group and cannot be shared. If the domainname is updated the Feide and Apache2-configurations will need to be updated as well.
The Feide admin will need:
A name for configuration, we recommend: “NAV: domainname” or “NAV: your organization”.
An url to redirect to after login, this is the domainname followed by a relative url that is not served by NAV. We use
/oidcin this howto.
userid-feide scope needs to be turned on at
User information > Personal information.
Apache virtual host configuration:
<Location /> . . AuthType openid-connect Require valid-user </Location> <Location /oidc> SetHandler none AuthType openid-connect Require valid-user </Location> <Location /index/logout> AuthType None Require all granted </Location> <Location /about> AuthType None Require all granted </Location> <Location /refresh_session> AuthType None Require all granted </Location> <Location /api> AuthType None Require all granted </Location> <Location /doc> AuthType None Require all granted </Location> OIDCProviderMetadataURL https://auth.dataporten.no/.well-known/openid-configuration OIDCClientID SOME-UUID OIDCClientSecret SOME-OTHER-UUID OIDCRedirectURI https://DOMAINNAME/oidc/ OIDCCryptoPassphrase LONGRANDOMSTRING OIDCRemoteUserClaim https://n.feide.no/claims/eduPersonPrincipalName OIDCScope "openid userid-feide"
Note the location block
<Location />. The “Require”-line replaces any other
“requires” already there. This locks down the entire site. We haven’t found
a way with this plugin to do it any other way.
The second location block (
<Location /oidc>) just needs to be a relative
url that is not in use by anything else, this is used by the plugin as its
The third location block (
<Location /index/logout>) is the url the plugin
redirects to after logout.
The remaining location blocks are either public urls (
parts of NAV that has its own authentication system (
/api), or must not be
under the control of the plugin for the web frontend to correctly function
/refresh_session). If you have added extra pages or apps to the nav-server
that will not use the NAV auth system you need to mark their urls similarly.
`OIDCClientID needs to be set to the fixed generated client id, while
OIDCClientSecret needs to be set to the changeable
client secret. Both
are to be found in Feide Kundeportal.
OIDCRedirectURI is the domain name of the NAV instance as a URI, suffixed
with the plugin’s magic endpoint url, in this case
/oidc/. This url needs
to be registered at the Feide dashboard as a redirect URI under
Redirect URI after login.
OIDCCryptoPassphrase is used as a seed and should be kept secret.
OIDCOAuthRemoteUserClaim is what information will be used as the username.
The exact claim may change.
OIDCScope must at minimum contain
"openid userid-feide", remember the
When this is in use, local users like “admin” will no longer be available. Therefore, either:
before enabling the plugin create a user that will use OIDC to login then set that user as admin
after enabling the plugin set a user as admin via the CLI user script,