Apache OIDC Authentication
Configuring your own Apache Server with OIDC Authentication
The following setup will require users to have a valid CSAIL account to access your website. This is only supported for https
links, not unencrypted http
, for security reasons. The user will be redirected to the OpenID Connect authentication server if they are not already logged in, and then redirected back to your page after authorization is completed.
If you are configuring a website on a shared CSAIL webserver such as people, groups, or projects, see Restricting access with OIDC and .htaccess on CSAIL webservers
CSAIL OIDC Authentication Server Setup
(These steps tell our central OIDC server about your application, so it can pass back the authentication information you’re asking for.)
- Browse to https://oidc.csail.mit.edu/login and login with your CSAIL Kerberos account
- Administrative Manage Clients
- New Client
Main Tab
Client Name = yourhostname
Client Id = leave blank
Redirect URI(s) = https://YOURHOSTNAME.csail.mit.edu/.oidc-redirect
Rest of fields are optional perhaps add additional contacts
Access Tab
Scope: Leave all checkboxes set to the defualt.
Check groups checkbox if you want to restrict by group membership.
Subject Type = Public
For the other tabs, default fields are OK unless you are trying to do something fancy.
Once you click save it will generate ID and Secret (you will need these for the apache config file, below.)
Apache Setup
First, you need to install and enable the Apache module that supports OIDC:
sudo apt-get install libapache2-mod-auth-openidc
sudo a2enmod auth_openidc
(You’re about to edit the Apache config, so no need to restart Apache now.)
This assumes your webserver is a CSAIL Ubuntu machine (tested with CSAIL Ubuntu Xenial 16.04 and CSAIL Ubuntu Trusty 14.04). CSAIL Ubuntu machines have access by default to our repository of locally deployed packages, and will get a newer version of libapache2-mod-auth-openidc
than is available in vanilla 16.04. (Vanilla 14.04 doesn’t provide OIDC support at all.) If you are running vanilla Ubuntu or some other non-CSAIL version of Debian, feel free to contact us and we can tell you how to access the newer package we’ve deployed — with the caveat that it is only tested for CSAIL Ubuntu 16.04 and 14.04, and we can’t guarantee that it will work for you.
Besides the OIDC shared secret and ID that you got from the OIDC server in the step above, you’ll need a long random passphrase which Apache will use to encrypt data it stores locally. You can generate an appropriate passphrase with the following:
sudo apt-get install pwgen
pwgen -s 44 1
Once you’ve got the shared secret, ID, and local passphrase, put this your Apache site configuration file after your SSL config
OIDCProviderMetadataURL https://oidc.csail.mit.edu/.well-known/openid-configuration
OIDCClientID [ID_HERE]
OIDCClientSecret [SECRET_HERE]
OIDCRedirectURI https://[YOUR_HOST].csail.mit.edu/.oidc-redirect
OIDCCookieDomain [YOUR_HOST].csail.mit.edu
OIDCScope "openid email groups"
<Location /.oidc-redirect>
AuthType openid-connect
Require valid-user
</Location>
<Location />
AuthType openid-connect
Require all denied
<RequireAll>
Require ssl
Require claim iss:https://oidc.csail.mit.edu/
Require valid-user
</RequireAll>
</Location>
Then put the following line outside of any <VirtualHost>
stanza in your Apache config. (It can be at the end of your site configuration file as long as it’s after the </VirtualHost>
line, or it can be all by itself in a separate file such as /etc/apache2/conf.d/mod_auth_openidc-passphrase.conf
.)
OIDCCryptoPassphrase "[LONG_RANDOM_PASSPHRASE_YOU_GOT_FROM_pwgen_HERE]"
Then restart Apache with
sudo service apache2 restart
and test that things are working.