Difference between revisions of "Mod auth openidc"

From TMM Wiki
Jump to navigationJump to search
 
(28 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Apache module [https://github.com/zmartzone/mod_auth_openidc mod_auth_openidc] allows you to authenticate [[Ct#Member|members]] using NATS as the [[Openid_connect|OpenID Connect server]]
+
{{NATS5 Manual
 +
| show_members_admin_section = true
 +
}}
 +
To use this, you need to setup NATS as an [[OpenID_Connect|OpenID Connect Server (OP)]] first.<br>
 +
Apache module [https://github.com/zmartzone/mod_auth_openidc mod_auth_openidc] allows you to authenticate [[Ct#Member|members]] using NATS as the [[Openid_connect|OpenID Connect Server (OP)]]
  
 
== Installing mod_auth_openidc ==
 
== Installing mod_auth_openidc ==
Please ask your host to install the mod_auth_openidc apache module on your member area server(s) if not already installed.  Here is a [https://github.com/zmartzone/mod_auth_openidc/releases link] to their releases.  It would be best if they can use one of the install packages.  If not, they can compile it from source.  NATS OpenID Connect server supports mod_auth_openidc starting from version 2.2.0.
+
Please ask your host / server admin to install the [https://github.com/zmartzone/mod_auth_openidc/releases mod_auth_openidc apache module] on your member area server(s) (if not already installed).  It would be best if your host / server admin can use one of the install packages.  If not, your host / server admin can compile it from source.  NATS OpenID Connect Server (OP) implementation supports mod_auth_openidc versions >= 2.2.0.
  
 
== Member Area Configuration ==
 
== Member Area Configuration ==
* You will need to make a vanity script inside your members area.  This should be a completely blank script that servers no content.  It is only needed for the inner works of the mod_auth_openidc apache module.  The only requirement is that this script must be protected by the mod_auth_openidc apache module using either the <Directory> or the <Files> directives.
+
* You will need to create a vanity script inside your members area.  This should be a completely blank script that servers no content.  It is only needed for the inner workings of the mod_auth_openidc apache module.  The only requirement is that this script must be protected by the mod_auth_openidc apache module using either the <Directory> or the <Files> directives.
* You can optionally make an error template and an unauthorized page so that you have better control of what your members see in case of errors.  This will allow you to control the look and feel of those pages as well as provide members with help (like links back to the login page).
+
* You can optionally create an error template and an unauthorized page so that you have better control of what your members see in case of errors.  This will allow you to control the look and feel of those pages as well as provide members with help (like links back to the login page).
* You might need to change the link to your members area.  It will need to be a link to any script protected by the <Directory> or the <Files> directives other than the vanity script.
+
* You might need to update the link to your members area.  It will need to be a link to any script protected by the <Directory> or the <Files> directives other than the vanity script.
  
 
== Apache Configuration ==
 
== Apache Configuration ==
Documentation for all available apache settings is [https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf here]
+
Documentation for all available apache settings is [https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf here].  You can protect directories or individual files using the <Directory> or the <Files> directives.  Here is an example:
 +
<pre>
 +
<Directory /path/to/the/members/section>
 +
  AuthType openid-connect
 +
  Require valid-user
 +
</Directory>
 +
</pre>
  
If you decide to sign the reply from the userinfo endpoint (recommended), you will need to add this to your apache virtual host configuration
+
If you choose to sign the reply from the userinfo endpoint (recommended), you will need to add this to your apache virtual host configuration:
 
<pre>
 
<pre>
 
OIDCUserInfoSignedResponseAlg RS256
 
OIDCUserInfoSignedResponseAlg RS256
 
</pre>
 
</pre>
  
If you do not have an ssl cert for the login page and/or your members area (not recommended), you will need to add this to your apache virtual host configuration
+
If you do not have an ssl cert for the login page and/or your members area (not recommended), you will need to add this to your apache virtual host configuration:
 
<pre>
 
<pre>
 
OIDCSSLValidateServer Off
 
OIDCSSLValidateServer Off
 
</pre>
 
</pre>
  
If you setup an error template, you will need to add this to your apache virtual host configuration
+
If you choose to set up an error template, you will need to add this to your apache virtual host configuration:
 
<pre>
 
<pre>
 
OIDCHTMLErrorTemplate <path/to/your/apache/error/template>
 
OIDCHTMLErrorTemplate <path/to/your/apache/error/template>
 
</pre>
 
</pre>
  
If you decide to setup an unauthorized page, you will need to add this to your apache virtual host configuration
+
If you choose to set up an unauthorized page, you will need to add this to your apache virtual host configuration:
 
<pre>
 
<pre>
 
ErrorDocument 401 <full or relative url to your unauthorized page>
 
ErrorDocument 401 <full or relative url to your unauthorized page>
 +
</pre>
 +
 +
To renew your access token, your members area can call this url:
 +
<pre>
 +
<full or relative  url of your vanity script>?refresh=<url of the page in the members area to redirect to on success>&access_token=<?=$_SERVER['OIDC_access_token']?>
 +
</pre>
 +
 +
If your members area needs access to the refresh token (not recommended), you will need to add this to your apache virtual host configuration:
 +
<pre>
 +
OIDCPassRefreshToken On
 +
</pre>
 +
 +
If your NATS install is behind a load balancer, you will need the following setting
 +
<pre>
 +
OIDCXForwardedHeaders <header> <another header (if needed)> <another header (if needed)>
 +
</pre>
 +
 +
== Claims ==
 +
The mod_auth_openidc apache module will add all claims received from the token and the userinfo endpoints to the $_SERVER superglobal.  For example, if you enable the MEMBER_OPENID_BASE_INFO configuration option in your NATS install, you will get the trial flag value as part of the userinfo response.  You can then use it in your code by using the $_SERVER['OIDC_CLAIM_trial'] variable.  Please reference the [[OpenID_Connect|OpenID Connect setup article]] for more info on available claims.
 +
 +
Please note that the member's username will be available in the following variables:
 +
<pre>
 +
$_SERVER['OIDC_CLAIM_username']
 +
$_SERVER['REMOTE_USER']
 +
</pre>
 +
 +
When protecting your members area, you can use the value of one of the claims.  Here is an example:
 +
<pre>
 +
<Directory /path/to/the/full/members/section>
 +
  AuthType openid-connect
 +
  Require claim trial:0
 +
</Directory>
 
</pre>
 
</pre>
  
 
== Example Virtual Host Settings ==
 
== Example Virtual Host Settings ==
Here is an example extract from an apache virtual host for a members area
+
Here is an example extract from an apache virtual host for a members area:
  
 
<pre>
 
<pre>
Line 41: Line 83:
 
</Directory>
 
</Directory>
  
OIDCProviderMetadataURL <your OpenID Connect domain and protocol>/.well-known/member-openid-configuration
+
OIDCProviderMetadataURL <your NATS domain and protocol (preferably https)>/.well-known/member-openid-configuration
 
OIDCClientID <NATS Site ID or a comma separated list of NATS Site IDs>
 
OIDCClientID <NATS Site ID or a comma separated list of NATS Site IDs>
 
OIDCClientSecret <value of the NATS MEMBER_OPENID_CLIENT_SECRET configuration option>
 
OIDCClientSecret <value of the NATS MEMBER_OPENID_CLIENT_SECRET configuration option>
 
OIDCScope openid
 
OIDCScope openid
 
OIDCRedirectURI <url of your vanity script>
 
OIDCRedirectURI <url of your vanity script>
OIDCCryptoPassphrase <encryption password that is used for cookie and cache data>
+
OIDCCryptoPassphrase <encryption password (make one up) that is used for cookie and cache data>
 
OIDCSessionInactivityTimeout <period of inactivity (in seconds) before the member is logged out>
 
OIDCSessionInactivityTimeout <period of inactivity (in seconds) before the member is logged out>
OIDCSessionMaxDuration <value of the MEMBER_OPENID_ACCESS_TOKEN_DURATION configuration option>
+
OIDCSessionMaxDuration <the length of time (in seconds) before the member is logged out regardless of activity, access and refresh tokens>
 
OIDCRemoteUserClaim username
 
OIDCRemoteUserClaim username
OIDCUserInfoRefreshInterval 0
+
OIDCUserInfoRefreshInterval <length of time (in seconds) between calls to the userinfo endpoint>
 
OIDCTokenBindingPolicy disabled
 
OIDCTokenBindingPolicy disabled
 +
OIDCRefreshAccessTokenBeforeExpiry <length of time (in seconds) before the current access token expires to use the refresh token to obtain a new access token> logout_on_error
 
</pre>
 
</pre>
  
Line 65: Line 108:
 
</pre>
 
</pre>
  
error page
+
error template
 
<pre>
 
<pre>
 
there was an error<br>
 
there was an error<br>
Line 72: Line 115:
 
<a href="<url of your members area>">Try Again</a>
 
<a href="<url of your members area>">Try Again</a>
 
</pre>
 
</pre>
 +
 +
logout button for the members area
 +
<pre>
 +
<full or relative  url of your vanity script>?logout=<url of the page to redirect the logged out member to>
 +
</pre>
 +
 +
== Additional Resources ==
 +
* [https://github.com/zmartzone/mod_auth_openidc/releases mod_auth_openidc releases]
 +
* [https://github.com/zmartzone/mod_auth_openidc/wiki mod_auth_openidc wiki]
 +
* [https://github.com/zmartzone/mod_auth_openidc mod_auth_openidc source code]
 +
* [[OpenID_Connect|Setting up NATS as an OpenID Connect Server (OP)]]

Latest revision as of 19:28, 17 August 2023

NATS 5
Members Section
Members Management
Adding a Member
View Member Details
Restricted Values
OpenID Connect
Mod Auth OpenIDC
    Adtool
GET /adtool/admin
GET /adtool/adtools
GET /adtool/adtool
GET /adtool/adtool-rules
GET /adtool/adtool-rule
GET /adtool/categories
GET /adtool/field-options
GET /adtool/field-types
GET /adtool/groups
GET /adtool/search
GET /adtool/templates
GET /adtool/types
GET /adtool/type
POST /adtool/adtool
POST /adtool/adtool-rule
POST /adtool/category
POST /adtool/field
POST /adtool/field-option
POST /adtool/group
POST /adtool/import
POST /adtool/type
PATCH /adtool/adtool
PATCH /adtool/adtool-group
PATCH /adtool/adtool-rule
PATCH /adtool/category
PATCH /adtool/field
PATCH /adtool/field-option
PATCH /adtool/group
PATCH /adtool/move
PATCH /adtool/restore-adtool
PATCH /adtool/restore-category
PATCH /adtool/restore-field
PATCH /adtool/restore-field-option
PATCH /adtool/restore-type
PATCH /adtool/type
DELETE /adtool/adtool
DELETE /adtool/adtool-rule
DELETE /adtool/category
DELETE /adtool/field
DELETE /adtool/field-option
DELETE /adtool/group
DELETE /adtool/type
    Affiliate
DELETE /affiliate/account-rep
DELETE /affiliate/account-type
DELETE /affiliate/affiliate
DELETE /affiliate/doc
DELETE /affiliate/group
DELETE /affiliate/permissions
GET /affiliate/account-changes
GET /affiliate/account-types
GET /affiliate/admin-settings
GET /affiliate/campaigns
GET /affiliate/current
GET /affiliate/current-permissions
GET /affiliate/docs
GET /affiliate/doc
GET /affiliate/groups
GET /affiliate/group
GET /affiliate/hits
GET /affiliate/link-styles
GET /affiliate/loginids
GET /affiliate/loginlog
GET /affiliate/manual-payout
GET /affiliate/news-sections
GET /affiliate/notes
GET /affiliate/notices
GET /affiliate/override
GET /affiliate/payout
GET /affiliate/payment-periods
GET /affiliate/payvia-types
GET /affiliate/payvia-type
GET /affiliate/permissions
GET /affiliate/programcampaigns
GET /affiliate/referrer
GET /affiliate/referring-urls
GET /affiliate/reps
GET /affiliate/rest-methods
GET /affiliate/search
GET /affiliate/search-limited
GET /affiliate/settings
GET /affiliate/skins
GET /affiliate/soap-functions
GET /affiliate/status
PATCH /affiliate/adminsettings
PATCH /affiliate/account-change
PATCH /affiliate/account-type
PATCH /affiliate/account-type-permissions
PATCH /affiliate/admin-setting
PATCH /affiliate/affiliate-account-type
PATCH /affiliate/affiliate-group
PATCH /affiliate/allsettings
PATCH /affiliate/account-rep
PATCH /affiliate/avatar
PATCH /affiliate/customs
PATCH /affiliate/defaults
PATCH /affiliate/details
PATCH /affiliate/override
PATCH /affiliate/password
PATCH /affiliate/payment-period
PATCH /affiliate/payvia
PATCH /affiliate/payvia-info
PATCH /affiliate/permissions
PATCH /affiliate/referrer
PATCH /affiliate/reset-api
PATCH /affiliate/reset-rss
PATCH /affiliate/reset-tos
PATCH /affiliate/rest-permissions
PATCH /affiliate/restore
PATCH /affiliate/restore-account-type
PATCH /affiliate/settings
PATCH /affiliate/soap-permissions
PATCH /affiliate/status
POST /affiliate/account-type
POST /affiliate/add
POST /affiliate/doc
POST /affiliate/group
POST /affiliate/invoice
POST /affiliate/manual-sale
POST /affiliate/note
    Biller
GET /biller/available
GET /biller/partner-available
GET /biller/billerdata
GET /biller/cascades
GET /biller/cascades-available
GET /biller/cascade-count
GET /biller/cascade-history
GET /biller/cascade-rules
GET /biller/cascade-rule
GET /biller/cascade-step-count
GET /biller/cascade-steps
GET /biller/cascade-detail
GET /biller/cascade-list
GET /biller/count
GET /biller/detail
GET /biller/fees
GET /biller/partner-fees
GET /biller/last_poll
GET /biller/partner-last-poll
GET /biller/list
GET /biller/partner-detail
GET /biller/partner-list
GET /biller/partner-shortnames
GET /biller/process_types
GET /biller/partner-process-types
GET /biller/shortnames
GET /biller/transaction_types
GET /biller/partner-transaction-types
GET /biller/taxes
POST /biller/add
POST /biller/cascade
POST /biller/cascade-rule
POST /biller/cascade-step
POST /biller/partner
PATCH /biller/cascade
PATCH /biller/cascade-rule
PATCH /biller/cascade-step
PATCH /biller/cascade-steps-reorder
PATCH /biller/fee
PATCH /biller/partner-fee
PATCH /biller/restore
PATCH /biller/restore-cascade
PATCH /biller/restore-partner
PATCH /biller/setting
PATCH /biller/partner-setting
PATCH /biller/tax
DELETE /biller/biller
DELETE /biller/cascade
DELETE /biller/cascade-rule
DELETE /biller/cascade-step
DELETE /biller/fee
DELETE /biller/partner-fee
DELETE /biller/partner
DELETE /biller/tax
    Codes
GET /codes/affiliate-codes
GET /codes/decode
GET /codes/linkcodes
GET /codes/strack
    Config
DELETE /config/setting
GET /config/section
GET /config/sections
PATCH /config/affiliate_default
PATCH /config/section
    Include
DELETE /include/include
DELETE /include/step
GET /include/include
GET /include/includes
GET /include/templates
PATCH /include/include
PATCH /include/restore
PATCH /include/step
POST /include/include
POST /include/step
    Mailing
DELETE /mailing/mailing
DELETE /mailing/mailing-rule
DELETE /mailing/queue
GET /mailing/mailing
GET /mailing/mailings
GET /mailing/mailing-rules
GET /mailing/mailing-rule
GET /mailing/queue
GET /mailing/removelist
PATCH /mailing/mailing
PATCH /mailing/mailing-rule
PATCH /mailing/removelist
PATCH /mailing/removelist-queue
PATCH /mailing/resend-queue
PATCH /mailing/restore-queue
PATCH /mailing/send-mailing
PATCH /mailing/send-test-mailing
POST /mailing/mailing
POST /mailing/mailing-rule
POST /mailing/removelist
    Maintenance
DELETE /maintenance/log
DELETE /maintenance/cache
GET /maintenance/admin-actions
GET /maintenance/log
GET /maintenance/logs
GET /maintenance/nats
GET /maintenance/report
GET /maintenance/report-progress
GET /maintenance/reports
GET /maintenance/server
GET /maintenance/table
GET /maintenance/tables
GET /maintenance/table-clean-count
GET /maintenance/table-clean-progress
PATCH /maintenance/log
PATCH /maintenance/report
PATCH /maintenance/table
    Member
GET /member/available_flags
GET /member/encryptusername
GET /member/authstring
GET /member/details
GET /member/flags
GET /member/loginlog
GET /member/matching
GET /member/notes
GET /member/notices
GET /member/restricted-values
GET /member/search
GET /member/suggestedcanceloffers
GET /member/surfer-actions
PATCH /member/details
PATCH /member/expiration
PATCH /member/expiremanual
PATCH /member/resend-transaction-email
PATCH /member/resend-transaction-postback
PATCH /member/restricted-value
PATCH /member/forget
PATCH /member/lock
PATCH /member/unlock
POST /member/flag
POST /member/login
POST /member/note
POST /member/restricted-value
DELETE /member/flag
DELETE /member/restricted-value
    Message
DELETE /message/message
DELETE /message/permanent
GET /message/count
GET /message/messages
GET /message/view
PATCH /message/read
PATCH /message/unread
PATCH /message/undelete
POST /message/message
    News
DELETE /news/entry
DELETE /news/section
GET /news/entry
GET /news/news
GET /news/sections
PATCH /news/entry
POST /news/entry
POST /news/section
    Notification
DELETE /notification/notification
DELETE /notification/permanent
GET /notification/count
GET /notification/notifications
GET /notification/view
PATCH /notification/read
PATCH /notification/unread
PATCH /notification/undelete
    Option
GET /option/options
GET /option/rule
PATCH /option/rule
PATCH /option/text
POST /option/rule
    Payment
DELETE /payment/invoice
DELETE /payment/payout-period
DELETE /payment/payvia-field
DELETE /payment/payvia-field-mc
DELETE /payment/payvia-rule
GET /payment/dump-format
GET /payment/dump-formats
GET /payment/invoices
GET /payment/payments
GET /payment/payment-dumps
GET /payment/payment-dump
GET /payment/payment-search
GET /payment/payvia
GET /payment/payvias
GET /payment/payvia-fields
GET /payment/payvia-field-mcs
GET /payment/payout-period
GET /payment/payout-periods
GET /payment/payvia-rules
GET /payment/payvia-rule
GET /payment/payviarule
PATCH /payment/copy-dump-format
PATCH /payment/default-payout-period
PATCH /payment/dump-format
PATCH /payment/duplicate-payvia
PATCH /payment/invoice
PATCH /payment/payment
PATCH /payment/payment-paid
PATCH /payment/payment-store
PATCH /payment/payment-unstore
PATCH /payment/payments
PATCH /payment/payments-unstore
PATCH /payment/payout-period
PATCH /payment/payout-period-affiliates
PATCH /payment/payvia
PATCH /payment/payvia-field
PATCH /payment/payvia-fields-reorder
PATCH /payment/payvia-field-mc
PATCH /payment/payvia-field-mcs-reorder
PATCH /payment/payvia-rule
PATCH /payment/payviarule
PATCH /payment/restore-payout-period
PATCH /payment/restore-payvia-field
PATCH /payment/restore-payvia-field-mc
POST /payment/check-dump
POST /payment/dump-format
POST /payment/import-dump
POST /payment/invoice
POST /payment/payout-period
POST /payment/payvia
POST /payment/payvia-field
POST /payment/payvia-field-mc
POST /payment/payvia-rule
    Program
DELETE /program/program
DELETE /program/payout-change
DELETE /program/payout-change-tier
GET /program/additional-payout-change-targets
GET /program/affiliate-available
GET /program/detail
GET /program/list
GET /program/options
GET /program/payout-changes
GET /program/redirect-available
GET /program/sites
GET /program/tours
GET /program/types
PATCH /program/default_payout
PATCH /program/details
PATCH /program/disable_affiliate
PATCH /program/disable_tour
PATCH /program/enable_affiliate
PATCH /program/enable_site
PATCH /program/enable_tour
PATCH /program/move-payout-change
PATCH /program/payout-change
PATCH /program/payout-change-tier
POST /program/new
POST /program/payout-change
POST /program/payout-change-tier
    Report
GET /report/affiliate-ratios
GET /report/hits
GET /report/hit-totals
GET /report/profitloss
GET /report/profit-loss
GET /report/fields
GET /report/focus
GET /report/focuses
GET /report/groups
GET /report/perspective
GET /report/perspectives
GET /report/report
GET /report/subscription
GET /report/surfer
GET /report/surferaction
GET /report/transactionpayouts
GET /report/transactions
GET /report/transaction
GET /report/report-widget
GET /report/widgets
GET /report/widget
GET /report/widget-info
GET /report/views
POST /report/focus
POST /report/group
POST /report/perspective
PATCH /report/focus
PATCH /report/focus-enabled
PATCH /report/focus-default
PATCH /report/focuses-reorder
PATCH /report/perspective
PATCH /report/perspective-group
PATCH /report/report-widget
PATCH /report/widget
DELETE /report/focus
    Reward
DELETE /reward/category
DELETE /reward/purchase
DELETE /reward/point
DELETE /reward/reward
GET /reward/categories
GET /reward/points
GET /reward/purchases
GET /reward/rewards
PATCH /reward/move-point
PATCH /reward/point
PATCH /reward/reward
PATCH /reward/ship-purchase
PATCH /reward/unship-purchase
POST /reward/category
POST /reward/point
POST /reward/reward
    Service
GET /service/check-functions
GET /service/condition
GET /service/countries
GET /service/country
GET /service/datetime
GET /service/languages
GET /service/periods
GET /service/ping
GET /service/project
GET /service/rule-condition-data
GET /service/rule-info
GET /service/stats-breakdowns
GET /service/timezone
GET /service/timestamp
POST /service/sendemail
    Site
GET /site/base-templates
GET /site/billers
GET /site/cookies
GET /site/coupon
GET /site/coupons
GET /site/coupon-revisions
GET /site/email-settings
GET /site/groups
GET /site/option
GET /site/options
GET /site/options-available
GET /site/option-fields
GET /site/option-rules
GET /site/option-rule
GET /site/option-type
GET /site/option-types
GET /site/programs
GET /site/redirect
GET /site/redirects
GET /site/redirect-rules
GET /site/redirect-rule
GET /site/site-list
GET /site/site
GET /site/site-notices
GET /site/site-partner
GET /site/site-partners
GET /site/site-type
GET /site/sites
GET /site/template
GET /site/templates
GET /site/template-sections
GET /site/template-sites
GET /site/tour
GET /site/tours
GET /site/tour-emails
GET /site/tour-notices
POST /site/coupon
POST /site/group
POST /site/option
POST /site/option-rule
POST /site/redirect
POST /site/redirect-rule
POST /site/site-partner
POST /site/site-tour
POST /site/copy-template
POST /site/tour
PATCH /site/cookie
PATCH /site/coupon
PATCH /site/duplicate-option
PATCH /site/email-settings
PATCH /site/group
PATCH /site/move
PATCH /site/option
PATCH /site/option-rule
PATCH /site/redirect
PATCH /site/redirect-rule
PATCH /site/reset-coupon
PATCH /site/restore-group
PATCH /site/restore-option
PATCH /site/restore-redirect
PATCH /site/restore-site
PATCH /site/restore-site-partner
PATCH /site/restore-tour
PATCH /site/site
PATCH /site/site-partner
PATCH /site/template
PATCH /site/tour
DELETE /site/cookie
DELETE /site/group
DELETE /site/option
DELETE /site/option-rule
DELETE /site/site
DELETE /site/site-partner
DELETE /site/redirect
DELETE /site/redirect-rule
DELETE /site/template
DELETE /site/tour
DELETE /site/tour-field
    Skin
DELETE /skin/skin
DELETE /skin/template
GET /skin/colors
GET /skin/export
GET /skin/skins
GET /skin/sections
GET /skin/templates
GET /skin/template
PATCH /skin/colors
PATCH /skin/flush
PATCH /skin/skin
PATCH /skin/template
POST /skin/copy-template
POST /skin/import
POST /skin/skin
POST /skin/template

To use this, you need to setup NATS as an OpenID Connect Server (OP) first.
Apache module mod_auth_openidc allows you to authenticate members using NATS as the OpenID Connect Server (OP)

Installing mod_auth_openidc

Please ask your host / server admin to install the mod_auth_openidc apache module on your member area server(s) (if not already installed). It would be best if your host / server admin can use one of the install packages. If not, your host / server admin can compile it from source. NATS OpenID Connect Server (OP) implementation supports mod_auth_openidc versions >= 2.2.0.

Member Area Configuration

  • You will need to create a vanity script inside your members area. This should be a completely blank script that servers no content. It is only needed for the inner workings of the mod_auth_openidc apache module. The only requirement is that this script must be protected by the mod_auth_openidc apache module using either the <Directory> or the <Files> directives.
  • You can optionally create an error template and an unauthorized page so that you have better control of what your members see in case of errors. This will allow you to control the look and feel of those pages as well as provide members with help (like links back to the login page).
  • You might need to update the link to your members area. It will need to be a link to any script protected by the <Directory> or the <Files> directives other than the vanity script.

Apache Configuration

Documentation for all available apache settings is here. You can protect directories or individual files using the <Directory> or the <Files> directives. Here is an example:

<Directory /path/to/the/members/section>
  AuthType openid-connect
  Require valid-user
</Directory>

If you choose to sign the reply from the userinfo endpoint (recommended), you will need to add this to your apache virtual host configuration:

OIDCUserInfoSignedResponseAlg RS256

If you do not have an ssl cert for the login page and/or your members area (not recommended), you will need to add this to your apache virtual host configuration:

OIDCSSLValidateServer Off

If you choose to set up an error template, you will need to add this to your apache virtual host configuration:

OIDCHTMLErrorTemplate <path/to/your/apache/error/template>

If you choose to set up an unauthorized page, you will need to add this to your apache virtual host configuration:

ErrorDocument 401 <full or relative url to your unauthorized page>

To renew your access token, your members area can call this url:

<full or relative  url of your vanity script>?refresh=<url of the page in the members area to redirect to on success>&access_token=<?=$_SERVER['OIDC_access_token']?>

If your members area needs access to the refresh token (not recommended), you will need to add this to your apache virtual host configuration:

OIDCPassRefreshToken On

If your NATS install is behind a load balancer, you will need the following setting

OIDCXForwardedHeaders <header> <another header (if needed)> <another header (if needed)>

Claims

The mod_auth_openidc apache module will add all claims received from the token and the userinfo endpoints to the $_SERVER superglobal. For example, if you enable the MEMBER_OPENID_BASE_INFO configuration option in your NATS install, you will get the trial flag value as part of the userinfo response. You can then use it in your code by using the $_SERVER['OIDC_CLAIM_trial'] variable. Please reference the OpenID Connect setup article for more info on available claims.

Please note that the member's username will be available in the following variables:

$_SERVER['OIDC_CLAIM_username']
$_SERVER['REMOTE_USER']

When protecting your members area, you can use the value of one of the claims. Here is an example:

<Directory /path/to/the/full/members/section>
  AuthType openid-connect
   Require claim trial:0
</Directory>

Example Virtual Host Settings

Here is an example extract from an apache virtual host for a members area:

<Directory /path/to/the/members/section>
  AuthType openid-connect
  Require valid-user
</Directory>

OIDCProviderMetadataURL <your NATS domain and protocol (preferably https)>/.well-known/member-openid-configuration
OIDCClientID <NATS Site ID or a comma separated list of NATS Site IDs>
OIDCClientSecret <value of the NATS MEMBER_OPENID_CLIENT_SECRET configuration option>
OIDCScope openid
OIDCRedirectURI <url of your vanity script>
OIDCCryptoPassphrase <encryption password (make one up) that is used for cookie and cache data>
OIDCSessionInactivityTimeout <period of inactivity (in seconds) before the member is logged out>
OIDCSessionMaxDuration <the length of time (in seconds) before the member is logged out regardless of activity, access and refresh tokens>
OIDCRemoteUserClaim username
OIDCUserInfoRefreshInterval <length of time (in seconds) between calls to the userinfo endpoint>
OIDCTokenBindingPolicy disabled
OIDCRefreshAccessTokenBeforeExpiry <length of time (in seconds) before the current access token expires to use the refresh token to obtain a new access token> logout_on_error

Sample Scripts

vanity page (not a typo, it should be blank)


unauthorized page

You are not allowed to view this page, please try logging in<br><br>
<a href="<url of your members area>">Log In</a>

error template

there was an error<br>
message: %s<br>
description: %s<br><br>
<a href="<url of your members area>">Try Again</a>

logout button for the members area

<full or relative  url of your vanity script>?logout=<url of the page to redirect the logged out member to>

Additional Resources