...
Code Block |
---|
# For advanced options see: https://github.com/OpenIDC/mod_auth_openidc
<IfModule mod_auth_openidc.c>
# If you have an ingress proxy like Caddy you'll need the following
# respect X-Forwarded-* headers passed down from proxy
OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Host
# this personal secret is created by you and never shared!
OIDCCryptoPassphrase XXXXXXXXXXX_PERSONAL_SECRET_XXXXXXXXXXX
# after successfull login redirect the user to where they wanted to go
# this path needs to openid-connect protected on your host
OIDCRedirectURI https://myhost.fast.uwaterloo.ca/secure/redirect_uri
OIDCProviderMetadataURL https://sso-4ccc589b.sso.duosecurity.com/oidc/XXXXXXXXXXXXXXXXXXXX/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# NOTE: you can find scopes in the the OIDCProviderMetadataURL
OIDCScope "openid profile email"
OIDCRemoteUserClaim user
# use HTTP_ prefix so env vars are more trusted in CGI. "see: suexec safe_env_lst"
OIDCClaimPrefix HTTP_OIDC_CLAIM_
# WARN: default delimiter is comma. AD groups can contain commas! (":" is safer)
OIDCClaimDelimiter ":"
</IfModule>
# Assuming handling https on an ingress server like Caddy.
# Also port 80 is firewalled to only talk to your ingress server.
<VirtualHost _default_:80>
ServerName myhost.fast.uwaterloo.ca
ServerAlias myhost-stage.fast.uwaterloo.ca
# NOTE: this is needed for the OIDCRedirectURI callback
<Location /secure>
AuthType openid-connect
Require valid-user
</Location>
# example: only allow IdM-HR-staff users
<Location /staff>
AuthType openid-connect
Require claim group:IdM-HR-staff
</Location>
# example: require user to be in two groups
<Location /staff-admin>
AuthType openid-connect
# each require is an OR. If you want AND, use RequireAll:
<RequireAll>
Require claim group:IdM-HR-staff
Require claim group:myhost-admin
</RequireAll>
# TODO: this might also work
# Require claim "group:myhost-admin group:IdM-HR-staff"
</Location>
<Location / >
AuthType openid-connect
Require valid-user
# if you have a simple backend to proxy to
ProxyPass / 127.0.0.1:8080
</Location>
</VirtualHost> |
OIDC in Django - django-oidc-auth
...