4

I have mod_auth_openidc working on centos7 but cannot find the documentation that references how to extract passed user information.

My logs show that the module is performing the following interrogations 

oidc_authz_match_claim: evaluating key "nickname"
oidc_authz_match_claim: evaluating key "email"
oidc_authz_match_claim: evaluating key "user_id"
oidc_authz_match_claim: evaluating key "identities"
oidc_authz_match_claim: evaluating key "iat"
oidc_authz_match_claim: evaluating key "picture"
oidc_authz_match_claim: evaluating key "last_password_reset"
oidc_authz_match_claim: evaluating key "name"
oidc_authz_match_claim: evaluating key "created_at"
oidc_authz_match_claim: evaluating key "app_metadata"
oidc_authz_match_claim: evaluating key "email_verified"
oidc_authz_match_claim: evaluating key "clientID"
oidc_authz_match_claim: evaluating key "folders"

I have tried setting both of the following in httpd.conf

OIDCRemoteUserClaim email
OIDCOAuthRemoteUserClaim email

then using <?php echo $_SESSION['REMOTE_USER']; ?> but I am not getting any variables being returned.

thanks Art

art vanderlay
  • 2,341
  • 4
  • 35
  • 64

1 Answers1

3

In the default setup the email claim is available both as an environment variable:

echo $_SERVER['OIDC_CLAIM_email']

and as an HTTP header:

$hdrs = apache_request_headers();
echo $hdrs['OIDC_CLAIM_email'];

the REMOTE_USER variable is accessible through:

$_SERVER['REMOTE_USER'];

and will be set to a globally unique identifier by default but is configurable through the OIDCRemoteUserClaim directive as you showed. A few remarks about the setup:

  1. You'll note that the HTTP headers are also available in the environment variables, with their variable names prefixed with HTTP_ and uppercased e.g.
    $_SERVER['HTTP_OIDC_CLAIM_EMAIL'];

  2. You can configure the behavior around passing claims in headers and/or environment variables through various configuration directives

  3. The variables will of course only exist if the associated claim was present in the id_token or returned from the user info endpoint

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Your answer pointed me to my basic error using `SESSION` instead of `SERVER`, but the tips on `OIDC_CLAIM_*` will change the approach to our architecture to simplify the process. Thanks for the detailed answer – art vanderlay Sep 07 '16 at 10:18