5

I want to setup a very simple system to grant authorized access to a static directory through Apache2 and it's mod_auth_openidc module, using Keycloak as the OAuth (OpenID Connect) server. After going through all the documentations and articles I could find on this, I've arrived at the following configuration.

<VirtualHost *:80>
    DocumentRoot /var/www/html

    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    Redirect permanent '/' https://%{HTTP_HOST}
</VirtualHost>


<VirtualHost *:443>
    DocumentRoot /var/www/html

    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    ProxyPass /auth http://127.0.0.1/auth
    ProxyPassReverse /auth http://127.0.0.1/auth

    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
                    SSLOptions +StdEnvVars
    </Directory>

    OIDCOAuthIntrospectionEndpoint https://127.0.0.1/auth/realms/Localserv/protocol/openid-connect/token/introspect
    OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
    OIDCOAuthClientID Apache
    OIDCOAuthClientSecret 8947ff67-4a8d-4391-81cf-9b6c168e189d
    OIDCProviderMetadataURL https://127.0.0.1/auth/realms/Localserv/.well-known/openid-configuration
    OIDCRedirectURI https://www.example.com/example/redirect_uri
    OIDCCryptoPassphrase random1234

    <Location /secret/>
        AuthType oauth20
        Require claim iss:https://127.0.0.1/auth/Localserv/master
    </Location>

</VirtualHost>

Some more facts about my setup:

  • I'm running a Keycloak server on the same machine, using Apache as a reverse proxy for it. You can see that from the above configuration file too.

  • Also, I want to serve simple plain static files, I don't have any client application that can handle the OAuth flow. So I want the OAuth client-side flow to be handled by mod_auth_openidc only. It should redirect to a login page if an unauthorized user tries to access, and then it on correct login (authenticating through Keycloak OAuth server), it should grant access.

Now my questions are

  1. Do I need to set the OIDCRedirectURI directive? And if I do, what should it's value be?

  2. What should be the overall setup for my requirements. I'm feeling like I'm not going on a correct direction, so any help would be very appreciated.

Sumit Ghosh
  • 1,033
  • 10
  • 29

0 Answers0