Skip to content

Authorization

Jump to bottom Edit New page
w112nxs edited this page Jan 13, 2015 · 18 revisions

mod_auth_openidc can authenticate and authorize users. The authorization part is described in more detail here. There are basically two options to do authorization based on the established user identity.

  1. Use the functions that mod_auth_openidc provides to authorize users based on the claims that have been provided for that user by the OpenID Connect provider.

  2. Use another Apache module that performs the authorization based on the user identity provided by mod_auth_openidc.

###mod_auth_openidc

Using the functionality provided by mod_auth_openidc you can authorize users based on claims that have been provided for that user. The following statement can be used to do that:

Require claim <expression>

If multiple Require claim <expression statements are specified for a single path they will be evaluated as a logical or. An example that uses exact matching of a claim value follows below:

Require claim sub:joe

Which would allow only users identified by the configured provider as joe, using the sub claim. Additionally you can match claim values against regular expressions by using Require claim~<expression> (note the ~ instead of the : after the claim keyword), e.g.:

Require claim "name~\w+ Jones$"

to match all users with last name Jones and a single first name which is roughly equivalent to Require claim family_name:Jones.

###mod_authnz_ldap As provided by Nishad Sankaranarayanan:

Authenticate users via mod_auth_openidc and then authorize them accordingly via mod_authnz_ldap. Using the OIDCRemoteUserClaim parameter in httpd.conf configuration, the claim value is set it as REMOTE_USER header variable. This REMOTE_USER is then leveraged by mod_authnz_ldap for performing ldap queries to identify the user.

In the example below, email is used as the REMOTE_USER claim value. 'REMOTE_USER' value is used to find the user in LDAP, and later 'Require ldap-group ' is used to validate the group membership of the user to grant access.

You will be able to leverage all Require <options> available in mod_authnz_ldap to authorize the logged in user.

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCRedirectURI http://<hostname>/example/redirect_uri
OIDCScope "openid email profile"

# Set REMOTE_USER to the email address.
# this is the value that mod_authnz_ldap leverages as the first parameter after basedn. 
# in the example below, REMOTE_USER = email = mail attribute in LDAP.

OIDCRemoteUserClaim email
<Location /example/>
  AuthType openid-connect
  AuthLDAPURL "ldap://<hostname>/ou=people,dc=<hostname>,dc=com?mail?sub?(objectClass=*)"
  AuthLDAPGroupAttribute member
  Require ldap-group cn=myTestAccesss,ou=Groups,dc=<hostname>,dc=com
</Location>
Add a custom footer
Add a custom sidebar
Clone this wiki locally