Authenticating with the apache plugin mod_auth_openidc and Feide
Enabling the plugin on Debian
First check if the plugin is already installed and enabled:
$ sudo apache2ctl -M | grep openid
auth_openidc_module (shared)
If it is, go straight to `Configuration`_.
If not:
Install the plugin:
$ sudo apt install libapache2-mod-auth-openidc
This should create the following files:
/etc/apache2/mods-available/auth_openidc.conf
/etc/apache2/mods-available/auth_openidc.load
/etc/apache2/mods-enabled/auth_openidc.conf
/etc/apache2/mods-enabled/auth_openidc.load
Enable with:
$ sudo a2enmod auth_openidc
Disable with:
$ sudo a2dismod auth_openidc
Feide Kundeportal configuration
You will need to ask somebody with the correct access-rights at Feide kundeportal for your organization to create an OpenID Connect-configuration. Configurations are locked to a specific NAV domain name and user group and cannot be shared. If the domainname is updated the Feide and Apache2-configurations will need to be updated as well.
The Feide admin will need:
A name for configuration, we recommend: “NAV: domainname” or “NAV: your organization”.
An url to redirect to after login, this is the domainname followed by a relative url that is not served by NAV. We use
/oidc
in this howto.
Also, the userid-feide
scope needs to be turned on at
User information > Personal information.
Apache2 Configuration
Apache virtual host configuration:
<Location />
.
.
AuthType openid-connect
Require valid-user
</Location>
<Location /oidc>
SetHandler none
AuthType openid-connect
Require valid-user
</Location>
<Location /index/logout>
AuthType None
Require all granted
</Location>
<Location /about>
AuthType None
Require all granted
</Location>
<Location /refresh_session>
AuthType None
Require all granted
</Location>
<Location /api>
AuthType None
Require all granted
</Location>
<Location /doc>
AuthType None
Require all granted
</Location>
OIDCProviderMetadataURL https://auth.dataporten.no/.well-known/openid-configuration
OIDCClientID SOME-UUID
OIDCClientSecret SOME-OTHER-UUID
OIDCRedirectURI https://DOMAINNAME/oidc/
OIDCCryptoPassphrase LONGRANDOMSTRING
OIDCRemoteUserClaim https://n.feide.no/claims/eduPersonPrincipalName
OIDCScope "openid userid-feide"
Note the location block <Location />
. The “Require”-line replaces any other
“requires” already there. This locks down the entire site. We haven’t found
a way with this plugin to do it any other way.
The second location block (<Location /oidc>
) just needs to be a relative
url that is not in use by anything else, this is used by the plugin as its
endpoint.
The third location block (<Location /index/logout>
) is the url the plugin
redirects to after logout.
The remaining location blocks are either public urls (/doc
, /about
),
parts of NAV that has its own authentication system (/api
), or must not be
under the control of the plugin for the web frontend to correctly function
(/refresh_session
). If you have added extra pages or apps to the nav-server
that will not use the NAV auth system you need to mark their urls similarly.
`OIDCClientID
needs to be set to the fixed generated client id, while
OIDCClientSecret
needs to be set to the changeable client secret
. Both
are to be found in Feide Kundeportal.
OIDCRedirectURI
is the domain name of the NAV instance as a URI, suffixed
with the plugin’s magic endpoint url, in this case /oidc/
. This url needs
to be registered at the Feide dashboard as a redirect URI under
Redirect URI after login.
OIDCCryptoPassphrase
is used as a seed and should be kept secret.
OIDCOAuthRemoteUserClaim
is what information will be used as the username.
The exact claim may change.
OIDCScope
must at minimum contain "openid userid-feide"
, remember the
quotes.
Gotchas
When this is in use, local users like “admin” will no longer be available. Therefore, either:
before enabling the plugin create a user that will use OIDC to login then set that user as admin
after enabling the plugin set a user as admin via the CLI user script,
navuser