Monday, 24 October 2016

Apache config with mod_auth_openidc & openam

Okay, so we compiled mod_auth_openidc recently and now it's time to configure Apache so we can interact with an OAuth2 server.

We'll do this with OpenAM - it's free and fun(ish) to configure & customise in a kinda weird way. I'll blog separately on a simple configuration for OpenAM.

Stay with the series, because we'll get to an Alexa skill in due course!

First up a confession.. brew install of apache. Although the compile worked fine, I couldn't get that version of apache to work with certificates from letsencrypt.. so I basically followed the same things in that post but for the apache version from macports instead. Note that macports is a bit more "general" with it's install locations, but it all basically follows the exact same pattern as I laid out in the previous post. If you want me to spell this out in detail, then comment below and I'll sort something out.

<IfModule auth_openidc_module>
  OIDCProviderIssuer https://external.server.location:443/openam/oauth2
  OIDCProviderAuthorizationEndpoint https://external.server.location/openam/oauth2/authorize
  OIDCProviderTokenEndpoint https://external.server.location/openam/oauth2/access_token
  OIDCProviderTokenEndpointAuth client_secret_post
  OIDCProviderUserInfoEndpoint https://external.server.location/openam/oauth2/userinfo
  OIDCSSLValidateServer Off
  OIDCClientID <MOD_CLIENT_ID>
  OIDCClientSecret <MOD_CLIENT_PASSWORD>
  OIDCScope "openid email"
  OIDCRedirectURI https://external.server.location/protect/redirect_uri
  OIDCProviderJwksUri https://external.server.location/openam/oauth2/connect/jwk_uri
  OIDCCryptoPassphrase <CRYPTO_PASSWORD>
  OIDCOAuthSSLValidateServer Off
  OIDCOAuthRemoteUserClaim user_id
  OIDCOAuthIntrospectionEndpoint https://external.server.location/openam/oauth2/introspect
  OIDCOAuthIntrospectionTokenParamName token
  OIDCOAuthClientID <OAUTH_CLIENT_ID>
  OIDCOAuthClientSecret <OAUTH_CLIENT_PASSWORD>
</IfModule>

so what does all this do? you'll notice 2 sections, one lot to do with OIDC and the other all prefixed with OIDCOAuth.

Well, I mentioned we're going for Alexa skill at the end of all this right? In this mode I need mod_auth_openidc to act as a OAuth2 Resource Provider aligned with the Alexa skill (more on this in the later post), and the second mode is mod_auth_openidc as an OpenIdConnect Resource Provider. I use this second mode to protect the resources for my web server.

 For OpenAM I use JwksUri so that the token I give out from OpenAM can be validated by mod_auth_openidc. To do this is has to know the uri endpoiint it can hit (OIDCProviderJwksUri).

The OIDCRedirectURI is a endpoint that mod_auth_openidc can be in full control of so do not think of putting a real resource in this location (but you'll need to protect it nonetheless!).

I use this to protect it

<Location /protect/>
    Authtype openid-connect
    require valid-user
</Location>

The redirect_uri bit is important to, so leave it in.

The OIDCProviderUserInfoEndpoint provides the openid connect user auth point and the OIDCProviderTokenEndpointAuth tells the method we're using (client secret post). The issuer needs to match your openam configuration - it is validted by mod_auth_openidc so check it and get it right! (I got this worng lots of times and it had me tearing what little hair remains out until I sussed out what this meant). The OIDCClientID and password are the client id and password for the web server bit of my world.

the other bit you might need is how to protect your locations for this web server mode. I use things like 

<Location /your_root_here/>
    Authtype openid-connect
    require valid-user
</Location>

As you can see, basically the same as the fake resource that is protected by mod_auth_openidc redirect stuff the second bit id for resources that Alexa hits. (OIDCOAuth stuff!). I'll go into that later!

Well, that's it for tonight... more on Alexa to follow...
Posted by stevegal at 14:44
Labels: , , , ,