From f325568ccb151e2cb167b0683cb7340a8516f96d Mon Sep 17 00:00:00 2001 From: Stefan Knoblich Date: Mon, 27 Sep 2021 20:38:54 +0200 Subject: [PATCH] Add mod_auth_openidc apache2 module ebuild Signed-off-by: Stefan Knoblich --- www-apache/mod_auth_openidc/Manifest | 3 + .../files/50_mod_auth_openidc.conf | 935 ++++++++++++++++++ .../mod_auth_openidc-2.4.9.4.ebuild | 32 + 3 files changed, 970 insertions(+) create mode 100644 www-apache/mod_auth_openidc/Manifest create mode 100644 www-apache/mod_auth_openidc/files/50_mod_auth_openidc.conf create mode 100644 www-apache/mod_auth_openidc/mod_auth_openidc-2.4.9.4.ebuild diff --git a/www-apache/mod_auth_openidc/Manifest b/www-apache/mod_auth_openidc/Manifest new file mode 100644 index 0000000..2132f1a --- /dev/null +++ b/www-apache/mod_auth_openidc/Manifest @@ -0,0 +1,3 @@ +AUX 50_mod_auth_openidc.conf 57645 BLAKE2B 2398afbaf1efa5e231a6c9e495c53ab96eddd3b438a9c79fb95fa5b2a5c93c7d6c388387e621ba10f444dbb95d00e12f2343d8cfdb123c9c18759f7eba3f2fea SHA512 fa15326dc197e93e09a45b60ae308127a1042744293fb46b10231ee39d017916d5803e1644bba3511b0f220c5a29d6b502325997e6c3e1195238fde6be2fc595 +DIST mod_auth_openidc-2.4.9.4.tar.gz 287719 BLAKE2B 20b1278498a9aacdf5f10aa462cba46885ecb846e5332b5ec5bb2ef0e8569c28d8c035de33ef33a878f3e9c6de33b4b173906eca8a2dcb97d7432f016c64899a SHA512 755f3343f87cd1b05d16e60afc86b68a79657adf793863215fba1bce6a12b8b7b18f60fba5041f82601d3ab2d526287ff3f88fef33673e84456d0423a90b1977 +EBUILD mod_auth_openidc-2.4.9.4.ebuild 645 BLAKE2B 070ebe0c07aed2385ca56d9c84013619b99565f68b5289db253a9f0b514a42549e7c23c13c8ed96e916f6fd5c213c206722f8dabe460e957d22e9071a7e86318 SHA512 ac2dee18d40069ce45f33c7ceb7dbbb14f105d7c5339b6025b999dcc6e9adfea9c690839ebd7166069f17223d07de64519380402648e58fcc8755aaeb77bd4fb diff --git a/www-apache/mod_auth_openidc/files/50_mod_auth_openidc.conf b/www-apache/mod_auth_openidc/files/50_mod_auth_openidc.conf new file mode 100644 index 0000000..b88c28b --- /dev/null +++ b/www-apache/mod_auth_openidc/files/50_mod_auth_openidc.conf @@ -0,0 +1,935 @@ + +LoadModule auth_openidc_module modules/mod_auth_openidc.so + +######################################################################################## +# +# Common Settings +# +######################################################################################## + +# (Mandatory) +# The redirect_uri for this OpenID Connect client; this is a vanity URL +# that must ONLY point to a path on your server protected by this module +# but it must NOT point to any actual content that needs to be served. +# You can use a relative URL like /protected/redirect_uri if you want to +# support multiple vhosts that belong to the same security domain in a dynamic way +#OIDCRedirectURI https://www.example.com/protected/redirect_uri + +# (Mandatory) +# Set a password for crypto purposes, this is used for: +# - encryption of the (temporary) state cookie +# - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType +# Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase +# Only for Apache >= 2.4.x: +# If the value begins with exec: the resulting command will be executed and the +# first line returned to standard output by the program will be used as the password. +# The command may be absolute or relative to the web server root. +#OIDCCryptoPassphrase [ | "exec:/path/to/otherProgram arg1" ] + +# +# All other entries below this are optional though some may be required in a +# particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party +# + +# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client +# Registration and account-based OP Discovery. +# Specifies the directory that holds metadata files (must be writable for the Apache process/user). +# When not specified, it is assumed that we use a single statically configured provider as +# described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL. +#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata + +######################################################################################## +# +# OpenID Connect Provider +# +# For configuration of a single static provider, not using OpenID Connect Provider Discovery. +# +######################################################################################## + +# URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration) +# The obtained metadata will be cached and refreshed every 24 hours. +# If set, individual entries below will not have to be configured but can be used to add +# extra entries/endpoints to settings obtained from the metadata. +# If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single +# static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs. +#OIDCProviderMetadataURL + +# OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com) +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderIssuer + +# OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2) +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderAuthorizationEndpoint + +# OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS) +# i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderJwksUri + +# OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2) +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderTokenEndpoint + +# Authentication method for the OpenID Connect Provider Token Endpoint. +# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. +# When not defined the default method from the specification is used, i.e. "client_secret_basic". +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +# NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth +#OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ] + +# Extra parameters that need to be passed in the POST request to the Token Endpoint. +# Parameter names and values need to be provided in URL-encoded form. +# When not defined no extra parameters will be passed. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params +#OIDCProviderTokenEndpointParams =[&=]* + +# OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid) +# When not defined no claims will be resolved from such endpoint. +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderUserInfoEndpoint + +# OpenID OP Check Session iFrame URL, for Session Management purposes. +# When not defined, no Session Management will be applied. +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderCheckSessionIFrame + +# OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes. +# When not defined, no logout to the OP will be performed. +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderEndSessionEndpoint + +# The RFC 7009 Token Revocation Endpoint URL. +# When defined, the refresh token and access token stored in an OIDC session will be revoked on logout. +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderRevocationEndpoint + +# Define whether the OP supports OpenID Connect Back Channel Logout. +# According to: https://openid.net/specs/openid-connect-backchannel-1_0.html +# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. +#OIDCProviderBackChannelLogoutSupported [On|Off] + +# Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint. +# This settings serves as a default value for multiple OPs only. +# Parameter names and values need to be provided in JSON form and will be merged in to the request. +# When not defined no extra parameters will be passed. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_params +#OIDCProviderRegistrationEndpointJson + +# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile"). +# When not defined, the bare minimal scope "openid" is used. +# NB: multiple scope values must be enclosed in a single pair of double quotes +# NB: this can be overridden on a per-OP basis in the .conf file using the key: scope +#OIDCScope "" + +# Extra parameters that will be sent along with the Authorization Request. +# These must be URL-query-encoded as in: "display=popup&prompt=consent" or +# specific for Google's implementation: "approval_prompt=force". +# This is used against a statically configured (single) OP or serves as the default for discovered OPs. +# As an alternative to this option, one may choose to add the parameters as +# part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint" +# in the .provider metadata (though that would not work with Discovery OPs). +# +# Since version 2.3.11rc1 one can pass on query parameters from the request to the authorization +# request by adding e.g. "foo=#" which which will dynamically pull in the query parameter value +# from the request query parameter and add it to the authentication request to the OP. +# +# The default is to not add extra parameters. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params +#OIDCAuthRequestParams + +# Require a valid SSL server certificate when communicating with the OP. +# (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint) +# When not defined, the default value is "On". +# NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server +#OIDCSSLValidateServer [On|Off] + +# Require configured issuer to match the issuer returned in id_token. +# (Disable to support Azure AD multi-tenant applications.) +# When not defined, the default value is "On". +#OIDCValidateIssuer [On|Off] + +# The refresh interval in seconds for the claims obtained from the userinfo endpoint +# When not defined the default is 0, i.e. the claims are retrieved only at session creation time. +# If refreshing fails, it is assumed that the access token is expired and an attempt will be made +# to refresh the access token using the refresh token grant, after which a second attempt is made +# to obtain claims from the userinfo endpoint with the new access token. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval +#OIDCUserInfoRefreshInterval + +# The refresh interval in seconds for the JWKs key set obtained from the jwk_uri. +# When not defined the default is 3600 seconds. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval +#OIDCJWKSRefreshInterval + +# Defines the way in which the access token will be presented to the userinfo endpoint +# "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET +# "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST +# When not defined the default is "authz_header". +# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method +#OIDCUserInfoTokenMethod [authz_header|post_param] + +# Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint. +# "GET" means that the parameters will be passed as query parameters in an HTTP GET +# "POST" means that the parameters will be passed as form-post parameters in an HTTP POST +# When not defined the default is "GET". +# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method +# OIDCProviderAuthRequestMethod [ GET | POST ] + +# The fully qualified names of the files that contain the PEM-formatted RSA Public key or a X.509 certificates +# that contain the RSA public keys to be used for JWT (OP state/id_token) encryption by the OP. +# One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles. +# When not defined no encryption will be requested. +# You can also prefix with a JWK key identifier to manually override the automatically +# generated "kid" that will be used for this key in the JWKs derived from this certificate and +# published at OIDCClientJwksUri. +# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign) +#OIDCPublicKeyFiles ([#])+ + +# The fully qualified names of the files that contain the PEM-formatted RSA private +# keys that can be used to decrypt content sent to us by the OP. +# These keys must correspond to the public keys defined in OIDCPublicKeyFiles. +# When not defined no decryption will be possible. +# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc) +#OIDCPrivateKeyFiles ([#])+ + +######################################################################################## +# +# OpenID Connect Client +# +# Settings used by the client in communication with the OpenID Connect Provider(s), +# i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access. +# These settings are used when a single static provider is configured and serve as defaults +# when multiple providers are configured. +# +######################################################################################## + +# The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too) +# When not defined the "code" response type is used. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type +#OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"] + +# The response mode used (this serves as default value for discovered OPs too) +# When not defined the default response mode for the requested flow (OIDCResponseType) is used. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode +#OIDCResponseMode [fragment|query|form_post] + +# Only used for a single static provider has been configured, see below in OpenID Connect Provider. +# Client identifier used in calls to the statically configured OpenID Connect Provider. +#OIDCClientID + +# Only used for a single static provider has been configured, see below in OpenID Connect Provider. +# Client secret used in calls to the statically configured OpenID Connect Provider. +# (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token") +#OIDCClientSecret + +# Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the +# token endpoint of the OAuth 2.0 Authorization server. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert +#OIDCClientTokenEndpointCert + +# Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the +# Client in calls to the token endpoint of the OAuth 2.0 Authorization server. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key +#OIDCClientTokenEndpointKey + +# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the +# Client in calls to the token endpoint of the OAuth 2.0 Authorization server. +# If the value begins with exec: the resulting command will be executed and the +# first line returned to standard output by the program will be used as the password. +# The command may be absolute or relative to the web server root. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd +#OIDCClientTokenEndpointKeyPassword [ | "exec:/path/to/otherProgram arg1" ] + +# The client name that the client registers in dynamic registration with the OP. +# When not defined, no client name will be sent with the registration request. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name +#OIDCClientName + +# The contacts that the client registers in dynamic registration with the OP. +# Must be formatted as e-mail addresses by specification. +# Single value only; when not defined, no contact e-mail address will be sent with the registration request. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact +#OIDCClientContact + +# The PKCE method used (this serves as default value for discovered OPs too) +# When not defined PKCE is not used. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method +#OIDCPKCEMethod [plain|S256|referred_tb] + +# The OpenID Connect Bound Authentication policy used, +# see: http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html +# "disabled": no referred token binding will be requested from the User Agent upon redirection to the OP +# "optional": referred token binding will be requested, the "cnf["tbh"]" claim is optional on return +# "required": referred token binding will be requested, the "cnf["tbh"]" claim must be present when the Client supports Token Binding +# "enforced": referred token binding will be requested, the "cnf["tbh"]" claim must be present and the User Agent must support Token Binding +# When not defined the default is "optional". +#OIDCTokenBindingPolicy [disabled|optional|required|enforced] + +# (used only in dynamic client registration) +# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be +# used during client registration to point to the JWK set with public keys for this client. +# If not defined the default ?jwks=rsa will be used, on which a JWK set +# is automatically published based on the OIDCPublicKeyFiles setting so normally you don't +# need to touch this unless this client is on a (test) host that is not reachable from the internet. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri +#OIDCClientJwksUri + +# (used only in dynamic client registration) +# The algorithm that the OP should use to sign the id_token. +# When not defined the default that the OP should use by spec is RS256. +# (ES??? algorithms only supported when using OpenSSL >= 1.0) +# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg +#OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] + +# (used only in dynamic client registration) +# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token. +# When not defined the default (by spec) is that the OP does not encrypt the id_token. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg +#OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] + +# (used only in dynamic client registration) +# The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key. +# If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. +# When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided. +# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) +# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc +#OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] + +# (used only in dynamic client registration) +# The algorithm that the OP should use to sign the UserInfo response +# When not defined the default (by spec) is that the OP does not sign the response. +# (ES??? algorithms only supported when using OpenSSL >= 1.0) +# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg +#OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] + +# (used only in dynamic client registration) +# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response. +# When not defined the default (by spec) is that the OP does not encrypt the response. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg +#OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] + +# (used only in dynamic client registration) +# The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key +# If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. +# When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided. +# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) +# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc +#OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] + +######################################################################################## +# +# WARNING: +# +# THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED +# BY A SEPARATE MODULE, SEE: https://github.com/zmartzone/mod_oauth2 +# +# OAuth 2.0 Resource Server Settings +# +# Used when this module functions as a Resource Server against an OAuth 2.0 Authorization +# Server, introspecting/validating bearer Access Tokens. +# +######################################################################################## + +# URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server) +# as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours. +# If set, individual entries below will not have to be configured but can be used to add +# extra entries/endpoints to settings obtained from the metadata. +# If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured. +#OIDCOAuthServerMetadataURL + +# (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation) +# OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2) +#OIDCOAuthIntrospectionEndpoint + +# Client identifier used in token introspection calls to the OAuth 2.0 Authorization server. +#OIDCOAuthClientID + +# Client secret used in token introspection calls to the OAuth 2.0 Authorization server. +#OIDCOAuthClientSecret + +# Authentication method for the OAuth 2.0 Authorization Server introspection endpoint, +# Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret +# when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post" +# has been configured. +# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. +# When not defined "client_secret_basic" is used. +#OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ] + +# Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured. +# Specifies a static token to be used for authorizing the call to the introspection endpoint. +# If empty, the introspected token will be used for authorization as well. +#OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ] + +# Filename that contains the PEM-formatted client certificate used to authenticate the +# caller in token introspection calls to the OAuth 2.0 Authorization server. +#OIDCOAuthIntrospectionEndpointCert + +# Filename that contains the PEM-formatted private key that belongs to the client certificate used +# to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server. +#OIDCOAuthIntrospectionEndpointKey + +# Define the HTTP method to use for the introspection call. Must be GET or POST. +# When not defined the default is POST. +#OIDCOAuthIntrospectionEndpointMethod [POST|GET] + +# Extra parameters that need to be passed in the POST request to the Introspection Endpoint. +# Parameter names and values need to be provided in URL-encoded form. +# When not defined no extra parameters will be passed. +#OIDCOAuthIntrospectionEndpointParams =[&=]* + +# Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint. +# When not defined the default "token" is used. +#OIDCOAuthIntrospectionTokenParamName + +# Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since +# 1970), relative (seconds from now after which the token will expire), and whether it is optional. +# If the claim is optional and not found in the response, the introspection result will not be cached. +# (which means that the overall performance may suffer) +# +# Only applies when the "active" claim is not found in the introspection response, which is interpreted as +# an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom. +# +# When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching +# Google and PingFederate's introspection behavior. +#OIDCOAuthTokenExpiryClaim [absolute|relative] [mandatory|optional] + +# Define the interval in seconds after which a cached and introspected access token needs +# to be refreshed by introspecting (and validating) it again against the Authorization Server. +# (can be configured on a per-path basis) +# When not defined the value is 0, which means it only expires after the `exp` (or alternative, +# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server. +# When set to -1, caching of the introspection results is disabled and the token will be introspected +# on each request presenting it. +#OIDCOAuthTokenIntrospectionInterval + +# Require a valid SSL server certificate when communicating with the Authorization Server +# on the token introspection endpoint. When not defined, the default value is "On". +#OIDCOAuthSSLValidateServer [On|Off] + +# The symmetric shared key(s) that can be used for local JWT access token validation. +# NB: this is one or more key tuples where a key tuple consists of: +# plain|b64|hex#[]# +# When not defined, no access token validation with shared keys will be performed. +# Examples: +# - a plaintext secret and a key identifier (kid) +# plain#1#mysecret +# - a base64 encoded secret, no key identifier provided +# b64##AF515DE== +# - a hex encoded secret, no key identifier provided +# hex##ede012 +#OIDCOAuthVerifySharedKeys ([plain|b64|hex#][#])+ + +# The fully qualified names of the files that contain the X.509 certificates with the RSA public +# keys that can be used for local JWT access token verification. +# NB: this is one or more key tuples where a key tuple consists of: +# [#] +# and the key identifier part is required when the JWT access token contains a "kid" in its header. +# When not defined, no access token validation with statically configured certificates will be performed. +#OIDCOAuthVerifyCertFiles ([#])+ + +# The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens. +# When not defined local validation of JWTs can still be done using statically configured keys, +# by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys. +#OIDCOAuthVerifyJwksUri + +# The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths. +# When not defined the default "sub" is used. +# +# An optional regular expression can be added as a 2nd parameter that will be applied to the +# claim value from the 1st parameter and the first match returned from that expression will +# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ +# +# An optional 3rd parameter can be added that would contain string with number backrefrences. +# Backrefrences must be in the form $1, $2.. etc. +# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use +# ^(.*)@([^.]+)\..+$ $2\\$1 +#OIDCOAuthRemoteUserClaim [] [substitution-string] + +# Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. +# Must be one or several of: +# "header" : an "Authorization: bearer" header +# "post" : an HTTP Post parameter called "access_token" +# "query" : as an HTTP query parameter called "access_token" +# "cookie" : as a cookie header called "PA.global" or using the name specified after ":" +# "basic": as a HTTP Basic Auth (RFC2617, section 2) password, with any username +# When not defined the default "header" is used. +#OIDCOAuthAcceptTokenAs [header|post|query|cookie[:|basic]+ + +# The Token Binding policy used for OAuth 2.0 Access Tokens +# see: https://tools.ietf.org/html/draft-ietf-oauth-token-binding +# "disabled": no token binding ID will be verified in the access token, present or not +# "optional": the "cnf["tbh"]" claim is optional in the introspection result or the JWT access token, if it is present it will be verified +# "required": the "cnf["tbh"]" claim must be present when the Client supports Token Binding +# "enforced": the "cnf["tbh"]" claim must be present and the Client must support Token Binding +# When not defined the default is "optional". +#OIDCOAuthAccessTokenBindingPolicy [disabled|optional|required|enforced] + + +######################################################################################## +# +# Cookie Settings +# +######################################################################################## + +# Define the cookie path for the "state" and "session" cookies. +# When not defined the default is a server-wide "/". +#OIDCCookiePath + +# Specify the domain for which the "state" and "session" cookies will be set. +# This must match the OIDCRedirectURI and the URL on which you host your protected +# application. When using a relative OIDCRedirectURI this setting should most probably empty. +# When not defined the default is the server hostname that is currently accessed. +#OIDCCookieDomain + +# Define the cookie name for the session cookie. +# When not defined the default is "mod_auth_openidc_session". +#OIDCCookie + +# OpenID Connect session cookie chunk size. +# When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session +# data needs to be stored, typically the size depends on the "scopes" of information you request. To work +# around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split +# over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, +# If you want to prevent splitting the session cookie regardless of its size, set the value to 0. +# When not defined the default chunk size is 4000 bytes +#OIDCSessionCookieChunkSize 4000 + +# Defines whether the HttpOnly flag will be set on cookies. +# When not defined the default is On. +#OIDCCookieHTTPOnly [On|Off] + +# Defines whether the SameSite flag will be set on cookies. +# When On the following will apply: +# state cookie: Lax +# session cookie: first time set Lax, updates (e.g. after inactivity timeout) Strict +# x_csrf discovery: Strict: +# +# The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be +# conditionally overridden using an environment variable in the Apache config as in: +# SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; +# (since version 2.4.1) +# +# When not defined the default is Off. +#OIDCCookieSameSite [On|Off] + +# Specify the names of cookies to pickup from the browser and send along on backchannel +# calls to the OP and AS endpoints. This can be used for load-balancing purposes. +# When not defined, no such cookies are sent. +#OIDCPassCookies []+ + +# Specify the names of cookies to strip from the incoming request so they are not passed +# on to the target application(s). This may prevent a large set of chunked session cookies to +# be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting): +# mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 +# When not defined, no cookies are stripped. +#OIDCStripCookies []+ + +# Specify the maximum number of state cookies i.e. the maximum number of parallel outstanding +# authentication requests. See: https://github.com/zmartzone/mod_auth_openidc/issues/331 +# Setting this to 0 means unlimited, until the browser or server gives up which is the +# behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. +# +# The optional second boolean parameter if the oldest state cookie(s) will be deleted, +# even if still valid; see #399. +# +# When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted. +#OIDCStateMaxNumberOfCookies [false|true] + +# Define the cookie prefix for the state cookie. +# When not defined the default is "mod_auth_openidc_state_". +#OIDCStateCookiePrefix + +######################################################################################## +# +# Session Settings (only relevant in an OpenID Connect Relying Party setup) +# +######################################################################################## + +# Interval in seconds after which the session will be invalidated when no interaction has occurred. +# When not defined, the default is 300 seconds. +#OIDCSessionInactivityTimeout + +# Maximum duration of the application session +# When not defined the default is 8 hours (3600 * 8 seconds). +# When set to 0, the session duration will be set equal to the expiry time of the ID token. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration +#OIDCSessionMaxDuration + +# OpenID Connect session storage type. +# "server-cache" server-side caching storage. +# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next +# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts +# instead of a session cookie that is tied to the lifetime of the browser session. +# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting. +# When not defined the default "server-cache" is used. +#OIDCSessionType server-cache[:persistent]|client-cookie[:persistent] + +# Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary +# cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of: +# a) performance +# 1) since on each subsequent request the primary cache will still be polled and +# failback will happen as soon as the primary cache is available again +# 2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType +# b) security, since nonce's and jti's are not cached, see: OIDCCacheType +# c) (prototype) functionality, since request_uri's won't work anymore +# When not defined the default is "Off". +#OIDCSessionCacheFallbackToCookie [On|Off] + +######################################################################################## +# +# Cache Settings +# +######################################################################################## + +# Cache type, used for temporary storage that is shared across Apache processes/servers for: +# a) session state +# b) nonce values to prevent replay attacks +# c) validated OAuth 2.0 tokens +# d) JWK sets that have been retrieved from jwk_uri's +# e) resolved OP metadata when using OIDCProviderMetadataUrl +# f) temporary state associated with Request URI's +# must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\" +# When not defined, "shm" (shared memory) is used. +#OIDCCacheType [shm|memcache|file[|redis]] + +# Indicate whether data in the cache backend should be encrypted. +# When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends +#OIDCCacheEncrypt [On|Off] + +# When using OIDCCacheType "shm": +# Specifies the maximum number of name/value pair entries that can be cached. +# When caching a large number of entries the cache size limit may be reached and the +# least recently used entry will be overwritten. If this happens within 1 hour, +# errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased. +# When not specified, a default of 500 entries is used. +# OIDCCacheShmMax + +# When using OIDCCacheType "shm": +# Specifies the maximum size for a single cache entry in bytes with a minimum of 8464 bytes. +# When caching large values such as numbers of attributes in a session or large metadata documents the +# entry size limit may be overrun, in which case errors will be displayed in the error.log +# and the OIDCCacheShmEntrySizeMax value has to be increased. +# When not specified, a default entry size of 16913 bytes (16384 value + 512 key + 17 overhead) is used. +# OIDCCacheShmEntrySizeMax + +# When using OIDCCacheType "file": +# Directory that holds cache files; must be writable for the Apache process/user. +# When not specified a system defined temporary directory (/tmp) will be used. +#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache + +# When using OIDCCacheType "file": +# Cache file clean interval in seconds (only triggered on writes). +# When not specified a default of 60 seconds is used. +# OIDCCacheFileCleanInterval + +# Required when using OIDCCacheType "memcache": +# Specifies the memcache servers used for caching as a space separated list of [:] tuples. +#OIDCMemCacheServers "([:])+" + +# Required if Redis support is compiled in and when using OIDCCacheType "redis": +# Specifies the Redis server used for caching as a [:] tuple. +#OIDCRedisCacheServer [:] + +# Password to be used if the Redis server requires authentication: http://redis.io/commands/auth +# When not specified, no authentication is performed. +#OIDCRedisCachePassword + +# Logical database to select on the Redis server: https://redis.io/commands/select +# When not defined the default database 0 is used. +#OIDCRedisCacheDatabase + +# Timeout for connecting to the Redis servers. +# When not defined the default connect timeout is 5 seconds. +#OIDCRedisCacheConnectTimeout + +# Timeout waiting for a response of the Redis servers after a request was sent. +# When not defined the default timeout is 5 seconds. +#OIDCRedisCacheTimeout + +######################################################################################## +# +# Advanced Settings +# +######################################################################################## + +# Defines an external OP Discovery page. That page will be called with: +# ?oidc_callback= +# additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`. +# +# An Issuer selection can be passed back to the callback URL as in: +# ?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=][&scopes=][&auth_request_params=] +# where the parameter contains the URL-encoded issuer value of +# the selected Provider, or a URL-encoded account name for OpenID +# Connect Discovery purposes (aka. e-mail style identifier), or a domain name. +# [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=&x_csrf=&method=&scopes=) +# +# When not defined the bare-bones internal OP Discovery page is used. +#OIDCDiscoverURL + +# Template used to display error messages. +# The template must be prepared to take two strings, an error title and a more details error description, +# both HTML encoded values, in that order and referenced by (C-style) "%s", e.g.

Message:%s

Description:%s

. +# A minimal example that posts error+detail to another webpage: +# +#
+# +# +#
+# +# When not defined a bare-bones internal template is used. +#OIDCHTMLErrorTemplate + +# Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri +# has been provided. The user is also redirected to this URL in case an invalid authorization +# response was received. +# +# By default, when no OIDCDefaultURL is set, an expired state cookie will lead to an HTML error page +# being sent to the browser explaining what happened. To copy that (legacy) behaviour when OIDCDefaultURL is set, +# so that the browser is no longer redirected to the OIDCDefaultURL in case of state cookie expiry, use: +# SetEnvIfExpr true OIDC_NO_DEFAULT_URL_ON_STATE_TIMEOUT=true +# +# The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user. +#OIDCDefaultURL + +# Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. +# When not defined and no URL was passed explicitly, a default internal page will be shown. +#OIDCDefaultLoggedOutURL + +# Define the OpenID Connect scope(s) that is requested from the OP (eg. "admin edit") +# on a per-path basis in addition to the per-provider configured scopes (OIDCScope). +# NB: multiple scope values must be enclosed in a single pair of double quotes +#OIDCPathScope "" + +# Extra parameters that will be sent along with the Authorization Request. +# These must be URL-query-encoded as in: "display=popup&prompt=consent". +# +# NB: since version 2.3.0 this can be configured on a per-path basis across all configured Providers. +# +# Since version 2.3.11rc1 one can pass on query parameters from the request to the authorization +# request by adding e.g. "foo=#" which which will dynamically pull in the query parameter value +# from the request query parameter and add it to the authentication request to the OP. +# +# The default is to not add extra parameters. +#OIDCPathAuthRequestParams + +# Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token. +# When not defined the default is 600 seconds. +# NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack +#OIDCIDTokenIatSlack + +# The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables. +# This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup. +# When not defined, the default "OIDC_CLAIM_" is used. +#OIDCClaimPrefix + +# The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables. +# When not defined the default "," is used. +#OIDCClaimDelimiter + +# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths. +# If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the +# \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs. +# When not defined the default "sub@" is used. +# +# An optional regular expression can be added as a 2nd parameter that will be applied to the +# resulting value from the 1st parameter and the first match returned from that expression will +# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ +# +# An optional 3rd parameter can be added that would contain string with number backrefrences. +# Backrefrences must be in the form $1, $2.. etc. +# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use +# ^(.*)@([^.]+)\..+$ $2\\$1 +#OIDCRemoteUserClaim [@] [] [substitution-string] + +# Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs. +# Must be one or several of: +# "claims" : the claims in the id_token are passed in individual headers/environment variables +# "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable +# "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable +# Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie and as such +# the headers for the "payload" and "serialized" option will not be created. +# When not defined the default "claims" is used. +#OIDCPassIDTokenAs [claims|payload|serialized]+ + +# Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. +# Must be one or several of: +# "claims" : the userinfo claims are passed in individual headers/environment variables +# "json" : a self-contained userinfo JSON object is passed in the "OIDC_userinfo_json" header/environment variable +# "jwt" : a signed/encrypted JWT (if available!) optionally resolved from the userinfo endpoint is passed in the "OIDC_userinfo_jwt" header/environment variable +# When not defined the default "claims" is used. +#OIDCPassUserInfoAs [claims|json|jwt]+ + +# Define the way in which the claims and tokens are passed to the application environment: +# "none": no claims/tokens are passed +# "environment": claims/tokens are passed as environment variables +# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) +# "both": claims/tokens are passed as both headers as well as environment variables (default) +# +# Since version 2.4.6 one can specify "base64url" as the 2nd argument to apply base64url encoding to +# all values passed in headers. +# +# When not defined the default is "both" and base64url encoding is not applied to the header values. +# +# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. +# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken) +#OIDCPassClaimsAs [none|headers|environment|both] [base64url] + +# Specify the HTTP header variable name to set with the name of the authenticated user, +# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim. +# When not defined no such header is added. +# This setting can be configured for both the "openid-connect" and "oauth20" AuthType on +# a server-wide or directory level. +#OIDCAuthNHeader + +# Timeout in seconds for long duration HTTP calls. This is used for most requests to remote endpoints/servers. +# When not defined the default of 60 seconds is used. +#OIDCHTTPTimeoutLong + +# Timeout in seconds for short duration HTTP calls; used for Client Registration and OP Discovery requests. +# When not defined the default of 5 seconds is used. +#OIDCHTTPTimeoutShort + +# Time to live in seconds for state parameter i.e. the interval in which the authorization request +# and the corresponding response need to be processed. When not defined the default of 300 seconds is used. +#OIDCStateTimeout + +# Scrub user name and claim headers (as configured above) from the user's request. +# The default is "On"; use "Off" only for testing and debugging because it renders your system insecure. +#OIDCScrubRequestHeaders [On|Off] + +# Specify an outgoing proxy for your network. +# When not defined no outgoing proxy is used. +#OIDCOutgoingProxy [:] + +# Defines the action to be taken when an unauthenticated request is made. +# +# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. +# "401" means that HTTP 401 Unauthorized is returned. +# "407" means that HTTP 407 Proxy Authentication Required is returned +# "410" means that HTTP 410 Gone is returned +# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already +# +# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access" +# +# When not defined the default is "auth" with auto-detection of XML HTTP requests, which would get "401". +# The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, +# and/or the absence of "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*" +# and returns 401 for such non-browser/non-html clients. See: https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies#tldr +# +# Only for Apache >= 2.4.x: +# Since verson 2.4.4 a boolean Apache expression as the second parameter to specify which requests +# need to match to return the configured value in the first parameter to override the default "auth". +# See also: https://httpd.apache.org/docs/2.4/expr.html. +# E.g.: +# OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/" +# to return 401 for cURL based user agents and "auth" for any other browsers/user agents. +# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'" +# to effectively override the default XML request detection algorithm by ignoring the Accept headers +# OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#" +# to return 401 for all user agents that do not send an Accept header that includes a "text/html" value +# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )" +# just as a more complex example, it equals the default XML request detection algorithm +# OIDCUnAuthAction auth true +# To disable auto-detection of XML HTTP request altogether and uncondtionally return "auth" for all clients. +# Note that actually *any* expression value in "OIDCUnAuthAction auth " will *always* render "auth" +# (even when set to "false"...) because of the default, so using an value (other than "true") only +# makes sense in combination with one of the values other than "auth". +#OIDCUnAuthAction [auth|pass|401|407|410] [] + +# Defines the action to be taken when an unauthorized request is made i.e. the user is authenticated but +# does not meet the `Require claim *:*` directives or similar. +# "401" means that HTTP 401 Unauthorized is returned. +# "403" means that HTTP 403 Forbidded is returned: NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive! +# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. +# Useful in Location/Directory/Proxy path contexts that need to do stepup authentication +# When not defined the default "401" is used. +#OIDCUnAutzAction [401|403|auth] + +# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). +# This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form. +# It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data. +# Preservation is done via HTML 5 local storage: note that this can lead to private data exposure on shared terminals. +# The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis. +#OIDCPreservePost [On|Off] + +# Indicates whether the refresh token will be passed to the application in a header/environment variable, according +# to the OIDCPassClaimsAs directive. +# Can be configured on a per Directory/Location basis. The default is "Off". +#OIDCPassRefreshToken [On|Off] + +# Request Object/URI settings expressed as a string that is a "double-quote-escaped" JSON object. For example: +# "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.zmartzone.eu/protected/\", \"request_object_type\" : \"request\" }" +# Parameters: +# copy_from_request (array) : array of query parameter names copied from request +# copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter +# static (object) : parameter value is merged to the request object +# crypto (object) : defines cryptography used to create request object +# sign_alg (string) : algorithm used to sign request object (JWS alg parameter) +# crypt_alg (string) : algorithm used to encrypt CEK of request object (JWE alg parameter) +# crypt_enc (string) : algorithm used to encrypt request object (JWE enc parameter) +# url (string) : use this url instead of redirect_uri for request_uri +# request_object_type (string) : parameter used for sending authorization request object +# "request_uri" (default) or "request" +# NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object +#OIDCRequestObject + +# Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir). +# When not defined the default is 0 seconds, i.e. it is never refreshed. +# Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day. +#OIDCProviderMetadataRefreshInterval + +# Define the data that will be returned upon calling the info hook. +# The data can be JSON formatted using ?info=json, or HTML formatted, using ?info=html. +# iat (int) : Unix timestamp indicating when this data was created +# access_token (string) : the access token +# access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP) +# id_token (object) : the claims presented in the ID token +# userinfo (object) : the claims resolved from the UserInfo endpoint +# refresh_token (string) : the refresh token (if returned by the OP) +# exp (int) : the maximum session lifetime (Unix timestamp in seconds) +# timeout (int) : the session inactivity timeout (Unix timestamp in seconds) +# remote_user (string) : the remote user name +# session (object) : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object +# Note that when using ProxyPass / you may have to add a proxy exception for the Redirect URI +# for this to work, e.g. ProxyPass /redirect_uri ! +# When not defined the session hook will not return any data but a HTTP 404 +#OIDCInfoHook [iat|access_token|access_token_expires|id_token|userinfo|refresh_token|exp|timeout|remote_user|session]+ + +# Specify claims that should be removed from the userinfo and/or id_token before storing them in the session. +# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims +# When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used. +#OIDCBlackListedClaims []+ + +# Specify claims from the userinfo and/or id_token that should be stored in the session (all other claims will be discarded). +# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims +# When not defined no claims are whitelisted and all claims are stored except when blacklisted with OIDCBlackListedClaims. +#OIDCWhiteListedClaims []+ + +# Specify the minimum time-to-live for the access token stored in the OIDC session. +# When the access token expiry timestamp (or at tleast the hint given to that) is less than this value, +# an attempt will be made to refresh the access token using the refresh token grant type with the OP. +# This only has effect if a refresh token was actually returned from the OP and an "expires_in" hint +# was returned as part of the authorization response (and subsequent refresh token responses). +# When not defined no attempt is made to refresh the access token (unless implicitly with OIDCUserInfoRefreshInterval) +# The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails. +#OIDCRefreshAccessTokenBeforeExpiry [logout_on_error] + +# Defines whether the value of the User-Agent and X-Forwarded-For headers will be used as the input +# for calculating the fingerprint of the state during authentication. +# When not defined the default "both" is used. +#OIDCStateInputHeaders [none|user-agent|x-forwarded-for|both] + +# Define one or more regular expressions that specify URLs (or domains) allowed for post logout and +# other redirects such as the "return_to" value on refresh token requests, the "login_uri" value +# on session management based logins through the OP iframe, and the "target_link_uri" parameter in +# 3rd-party initiated logins, e.g.: +# OIDCRedirectURLsAllowed ^https://www.example.com ^https://(\w+).example.org ^https://example.net/app +# or: +# OIDCRedirectURLsAllowed ^https://www.example.com/logout$ ^https://www.example.com/app/return_to$ +# When not defined, the default is to match the hostname in the URL redirected to against +# the hostname in the current request. +#OIDCRedirectURLsAllowed []+ + + +# vim: ts=4 filetype=apache diff --git a/www-apache/mod_auth_openidc/mod_auth_openidc-2.4.9.4.ebuild b/www-apache/mod_auth_openidc/mod_auth_openidc-2.4.9.4.ebuild new file mode 100644 index 0000000..cd5c04d --- /dev/null +++ b/www-apache/mod_auth_openidc/mod_auth_openidc-2.4.9.4.ebuild @@ -0,0 +1,32 @@ +EAPI=7 + +inherit apache-module + +DESCRIPTION="OpenID Connect Relying Party implementation for Apache HTTP Server 2.x" +HOMEPAGE="https://github.com/zmartzone/mod_auth_openidc" +SRC_URI="https://github.com/zmartzone/${PN}/releases/download/v${PV}/${P}.tar.gz" +S="${WORKDIR}/${P}" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64" +RDEPEND=" + dev-libs/jansson + dev-libs/cjose +" +DEPEND="${RDEPEND}" + +need_apache2 + +DOCS=( + "auth_openidc.conf" + "openidc.conf" +) + +src_install() { + APACHE2_MOD_CONF="50_${PN}" + APACHE2_MOD_DEFINE="AUTH_OPENIDC" + APACHE_MODULESDIR="/usr/$(get_libdir)/apache2/modules" + + apache-module_src_install +}