...
Code Block |
---|
# For advanced options see: https://github.com/OpenIDC/mod_auth_openidc <IfModule mod_auth_openidc.c> # If you have an ingress proxy like Caddy you'll need the following # respect X-Forwarded-* headers passed down from proxy OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Host # this personal secret is created by you and never shared! OIDCCryptoPassphrase XXXXXXXXXXX_PERSONAL_SECRET_XXXXXXXXXXX # after successfull login redirect the user to where they wanted to go # this path needs to openid-connect protected on your host OIDCRedirectURI https://myhost.fast.uwaterloo.ca/oidc-callback/redirect_uri OIDCProviderMetadataURL https://sso-4ccc589b.sso.duosecurity.com/oidc/XXXXXXXXXXXXXXXXXXXX/.well-known/openid-configuration OIDCClientID XXXXXXXXXXXXXXXXXXXX OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # NOTE: you can find scopes in the the OIDCProviderMetadataURL OIDCScope "openid profile email" OIDCRemoteUserClaim user # use HTTP_ prefix so env vars are more trusted in CGI. "see: suexec safe_env_lst" OIDCClaimPrefix HTTP_OIDC_CLAIM_ # WARN: default delimiter is comma. AD groups can contain commas! (":" is safer) OIDCClaimDelimiter ":" OIDCCacheShmEntrySizeMax 270848 </IfModule> # Assuming handling https on an ingress server like Caddy. # Also port 80 is firewalled to only talk to your ingress server. <VirtualHost _default_:80> ServerName myhost.fast.uwaterloo.ca ServerAlias myhost-stage.fast.uwaterloo.ca # NOTE: this is needed for the OIDCRedirectURI callback <Location /oidc-callback> AuthType openid-connect Require valid-user </Location> # example: only allow IdM-HR-staff users <Location /staff> AuthType openid-connect Require claim group:IdM-HR-staff </Location> # example: require user to be in two groups <Location /staff-admin> AuthType openid-connect # each require is an OR. If you want AND, use RequireAll: <RequireAll> Require claim group:IdM-HR-staff Require claim group:myhost-admin </RequireAll> # TODO: this might also work # Require claim "group:myhost-admin group:IdM-HR-staff" </Location> <Location / > AuthType openid-connect Require valid-user # if you have a simple backend to proxy to ProxyPreserveHost On ProxyPass / ProxyPass 127.0.0.1:8080 </Location> </VirtualHost> |
...