Skip to content

Authorization

Jump to bottom Edit New page
Hans Zandbelt edited this page Jan 12, 2015 · 18 revisions

mod_auth_openidc can authenticate and authorize users. The authorization part is described in more detail here. There are basically two options to do authorization based on the established user identity.

  1. Use the functions that mod_auth_openidc provides to authorize users based on the claims that have been provided for that user by the OpenID Connect provider.

  2. Use another Apache module that performs the authorization based on the user identity provided by mod_auth_openidc.

###mod_auth_openidc

Using the functionality provided by mod_auth_openidc you can authorize users based on claims that have been provided for that user. The following statement can be used to do that:

Require claim <expression>

If multiple Require claim <expression statements are specified for a single path they will be evaluated as a logical or. An example that uses exact matching of a claim value follows below:

Require claim sub:joe

Which would allow only users identified by the configured provider as joe, using the sub claim. Additionally you can match claim values against regular expressions by using Require claim~<expression> (note the ~ instead of the : after the claim keyword), e.g.:

Require claim "name~\w+ Jones$"

to match all users with last name Jones and a single first name which is roughly equivalent to Require claim family_name:Jones.

###mod_authnz_ldap As provided by Nishad Sankaranarayanan:

Please find below the solution to authenticate users via mod_auth_openidc and then authorize them accordingly via mod_authnz_ldap.

Apache version: 2.4 attached below is the snippet form my httpd.conf for reference for any.... I leverage the email from the ID token, and set it as REMOTE_USER via the OIDCRemoteUserClaim. The same attribute is leveraged by mod_authnz_ldap for querying. In the example below, the email is used to match the user, and then it looks for a group membership of the user to grant access.

You will be able to leverage all Require <option> available in mod_authnz_ldap to authorize the logged in user. Also, it will be easy enough to leverage other authorization modules the same way as well.

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCRedirectURI http://<hostname>/example/redirect_uri
OIDCScope "openid email profile"

# Set REMOTE_USER to the email address. - this is the value that mod_authnz_ldap leverages as the first parameter after basedn. i the example below, REMOTE_USER=email =mail attribute in LDAP.

OIDCRemoteUserClaim email
<Location /example2/>
  AuthType openid-connect
  AuthLDAPURL "ldap://<hostname>/ou=people,dc=<hostname>,dc=com?mail?sub?(objectClass=*)"
  AuthLDAPGroupAttribute member
  Require ldap-group cn=myTestAccesss,ou=Groups,dc=<hostname>,dc=com
</Location>
Add a custom footer
Add a custom sidebar
Clone this wiki locally