Multiple Providers

Apache Configuration

Sample configuration for multiple OpenID Connect providers, which triggers OpenID Connect Discovery first to find the user's OP. OIDCMetadataDir points to a directory that contains files that contain per-provider configuration data.

OIDCMetadataDir <somewhere-writable-for-the-apache-process>/metadata

OIDCRedirectURI https://www.example.com/example/redirect_uri/
OIDCCryptoPassphrase <password>

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

Metadata Directory

For each provider, there are 3 types of files in the directory:

1. <urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.provider
   contains (standardized) OpenID Connect Discovery OP JSON metadata where each name of the file is the url-encoded issuer name of the OP that is described by the metadata in that file.

2. <urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.client
   contains statically configured or dynamically registered Dynamic Client Registration specific JSON metadata (based on the OpenID Connect Client Registration specification) and the filename is the url-encoded issuer name of the OP that this client is registered with. Sample client metadata for issuer https://localhost:9031, so the client metadata filename is localhost%3A9031.client:

    {
        "client_id" : "ac_oic_client",
        "client_secret" : "abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication"
    }
   

3. <urlencoded-issuer-value-with-https-prefix-and-trailing-slash-stripped>.conf
   contains mod_auth_openidc specific custom JSON metadata that can be used to overrule some of the settings defined in auth_openidc.conf on a per-client basis. The filename is the URL-encoded issuer name of the OP that this client is registered with.

The .conf file is used to configure OP specific behavior that overrules generic configuration primitives.

OP/Client Configuration

Entries that can be included in the .conf file are:

• ssl_validate_server

  Overrides OIDCSSLValidateServer (value 0 or 1, On/Off or boolean).

• scope

  Overrides OIDCScope.

• response_type

  Overrides OIDCResponseType.

• response_mode

  Overrides OIDCResponseMode.

• pkce_method

  Overrides OIDCPKCEMethod.

• client_name

  Overrides OIDCClientName.

• client_contact

  Overrides OIDCClientContact.

• idtoken_iat_slack

  Overrides OIDCIDTokenIatSlack.

• session_max_duration

  Overrides OIDCSessionMaxDuration.

• jwks_refresh_interval

  Overrides OIDCJWKSRefreshInterval.

• client_jwks_uri

  Overrides OIDCClientJwksUri.

• id_token_signed_response_alg

  Overrides OIDCIDTokenSignedResponseAlg.

• id_token_encrypted_response_alg

  Overrides OIDCIDTokenEncryptedResponseAlg.

• id_token_encrypted_response_enc

  Overrides OIDCIDTokenEncryptedResponseEnc.

• userinfo_signed_response_alg

  Overrides OIDCUserInfoSignedResponseAlg.

• userinfo_encrypted_response_alg

  Overrides OIDCUserInfoEncryptedResponseAlg.

• userinfo_encrypted_response_enc

  Overrides OIDCUserInfoEncryptedResponseEnc.

• auth_request_params

  Overrides OIDCAuthRequestParams.

• token_endpoint_params

  Overrides OIDCProviderTokenEndpointParams.

• token_endpoint_auth

  Overrides OIDCProviderTokenEndpointAuth.

• registration_endpoint_json

  Overrides OIDCProviderRegistrationEndpointJson.

• userinfo_refresh_interval

  Overrides OIDCUserInfoRefreshInterval.

• userinfo_token_method

  Overrides OIDCUserInfoTokenMethod.

• request_object

  Overrides OIDCRequestObject.

• auth_request_method

  Overrides OIDCProviderAuthRequestMethod.

• registration_token

  (only in multi-provider setups)

  An access_token that will be used on client registration calls for the associated OP.

• response_require_iss

  (only in multi-provider setups)

  Indicates whether the Provider is required to add an "iss" parameter to Authentication Response to mitigate the IDP mixup attack (boolean) [since version 2.4.15.x).

• keys

  (only in multi-provider setups, since version 2.4.0)

  A set of JWKs that is used to sign, encrypt and decrypt tokens exchanged with the OpenID Connect Provider. See RFC 7517 for syntax and examples.

Sample

Below is sample client metadata for issuer https://localhost:9031, so the mod_auth_openidc configuration filename is localhost%3A9031.conf:

{
  "ssl_validate_server" : 0,
  "scope" : "openid email profile"
}

Discovery

If you do not want to use the internal discovery page (you really shouldn't...), you can have the user being redirected to an external discovery page by setting OIDCDiscoverURL. That URL will be accessed with a number parameters: oidc_callback, target_link_uri, method and x_csrf. All parameters (except oidc_callback) need to be returned to the oidc_callback URL together with an iss parameter that contains the URL-encoded issuer value of the selected Provider, or a URL-encoded account name for OpenID Connect Discovery purposes (aka. e-mail style identifier), or a domain name.

Sample callback:

<oidc_callback>?target_link_uri=<target_link_uri>&iss=[<issuer>|<domain>|<e-mail-style-account-name>][&login_hint=<name>][&scopes=<space-separated-scopes>][&auth_request_params=<urlencoded-query-string>]

This is also the OpenID Connect specified way of triggering 3rd party initiated SSO to a specific provider when multiple OPs have been configured. In that case the callback may also contain a "login_hint" parameter with the login identifier the user might use to log in.

An additional mod_auth_openidc specific parameter named auth_request_params may also be passed in, see the Wiki for its usage.

Authorization

If you need to restrict certain Locations to a single provider and you want to skip the Discovery page for those locations, immediately redirecting the the appropriate Provider, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Authorization#3-access-to-different-url-paths-on-a-per-provider-basis