Difference between revisions of "Mod auth openidc"
From TMM Wiki
Jump to navigationJump to search| Line 8: | Line 8: | ||
== Member Area Configuration == | == Member Area Configuration == | ||
* You will need to make a vanity script inside your members area. This should be a completely blank script that servers no content. It is only needed for the inner works of the mod_auth_openidc apache module. The only requirement is that this script must be protected by the mod_auth_openidc apache module using either the <Directory> or the <Files> directives. | * You will need to make a vanity script inside your members area. This should be a completely blank script that servers no content. It is only needed for the inner works of the mod_auth_openidc apache module. The only requirement is that this script must be protected by the mod_auth_openidc apache module using either the <Directory> or the <Files> directives. | ||
| − | + | * You can optionally make an error template and an unauthorized page so that you have better control of what your members see in case of errors. This will allow you to control the look and feel of those pages as well as provide members with help (like links back to the login page). | |
== Apache Configuration == | == Apache Configuration == | ||
| Line 39: | Line 39: | ||
OIDCHTMLErrorTemplate /home/boris/openidclient/includes/error.php | OIDCHTMLErrorTemplate /home/boris/openidclient/includes/error.php | ||
ErrorDocument 401 /unauthorized.php | ErrorDocument 401 /unauthorized.php | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | == Sample Scripts == | ||
| + | vanity page (not a typo, it should be blank) | ||
| + | <pre> | ||
| + | </pre> | ||
| + | |||
| + | unauthorized page | ||
| + | <pre> | ||
| + | You are not allowed to view this page, please try logging in<br><br> | ||
| + | <a href="<url of your members area>">Log In</a> | ||
| + | </pre> | ||
| + | |||
| + | error page | ||
| + | <pre> | ||
| + | there was an error<br> | ||
| + | message: %s<br> | ||
| + | description: %s<br><br> | ||
| + | <a href="<url of your members area>">Try Again</a> | ||
</pre> | </pre> | ||
Revision as of 21:25, 1 August 2018
Apache module mod_auth_openidc allows you to authenticate members using NATS as the OpenID Connect server
Installing mod_auth_openidc
Please ask your host to install the mod_auth_openidc apache module on your member area server(s) if not already installed. Here is a link to their releases. It would be best if they can use one of the install packages. If not, they can compile it from source. NATS OpenID Connect server supports mod_auth_openidc starting from version 2.2.0.
Member Area Configuration
- You will need to make a vanity script inside your members area. This should be a completely blank script that servers no content. It is only needed for the inner works of the mod_auth_openidc apache module. The only requirement is that this script must be protected by the mod_auth_openidc apache module using either the <Directory> or the <Files> directives.
- You can optionally make an error template and an unauthorized page so that you have better control of what your members see in case of errors. This will allow you to control the look and feel of those pages as well as provide members with help (like links back to the login page).
Apache Configuration
Documentation for all available apache settings is here
Example Virtual Host Settings
Here is an example extract from an apache virtual host for a members area
<Directory /path/to/the/members/section> AuthType openid-connect Require valid-user </Directory> OIDCProviderMetadataURL <your OpenID Connect domain and protocol>/.well-known/member-openid-configuration OIDCClientID <NATS Site ID or a comma separated list of NATS Site IDs> OIDCClientSecret <value of the NATS MEMBER_OPENID_CLIENT_SECRET configuration option> OIDCScope openid OIDCRedirectURI http://openidclient.com/openid_return.php OIDCCryptoPassphrase cryptoPass OIDCSSLValidateServer Off OIDCSessionInactivityTimeout 30 OIDCSessionMaxDuration 0 OIDCRemoteUserClaim username OIDCUserInfoRefreshInterval 0 OIDCUserInfoSignedResponseAlg RS256 OIDCTokenBindingPolicy disabled OIDCHTMLErrorTemplate /home/boris/openidclient/includes/error.php ErrorDocument 401 /unauthorized.php
Sample Scripts
vanity page (not a typo, it should be blank)
unauthorized page
You are not allowed to view this page, please try logging in<br><br> <a href="<url of your members area>">Log In</a>
error page
there was an error<br> message: %s<br> description: %s<br><br> <a href="<url of your members area>">Try Again</a>
