Authenticating with the apache plugin mod_auth_openidc and Feide¶
Apache virtual host configuration:
<Location /> . . AuthType openid-connect Require valid-user </Location> <Location /oidc> SetHandler none AuthType openid-connect Require valid-user </Location> <Location /index/logout> AuthType None Require all granted </Location> <Location /about> AuthType None Require all granted </Location> <Location /refresh_session> AuthType None Require all granted </Location> <Location /api> AuthType None Require all granted </Location> <Location /doc> AuthType None Require all granted </Location> OIDCProviderMetadataURL https://auth.dataporten.no/.well-known/openid-configuration OIDCClientID XXX OIDCClientSecret YYY OIDCRedirectURI ZZZ/oidc/ OIDCCryptoPassphrase LONGRANDOMSTRING OIDCOAuthRemoteUserClaim "dataporten-userid_sec" OIDCScope "userid userid-feide openid"
Note the first location block, where two lines need be added to what is already there. This locks down the entire site. We haven’t found a way with this plugin to do it any other way.
The second location block just needs to be a url that is not in use by anything else, this is used by the plugin as its edndpoint.
The third location block is the url the plugin redirects to after logout.
The remaining location blocks are either public urls (
parts of NAV that has its own authentication system (
/api), or must not be
under the control of the plugin for the web frontend to correctly function
In the lines that configure the plugin, XXX and YYY is generated by
Feide at its dashboard. ZZZ is the
domain name of the NAV instance, suffixed with the plugin’s magic endpoint url.
The entire url needs to be registered at the Feide dashboard as a redirect URI
under Basic info. Under Permissions, the scopes mentioned under
OIDCScope must be accepted.
LONGRANDOMSTRING is a long, random string without whitespace that can be
generated by anything.
[remote-user] enabled = yes varname = HTTP_OIDC_CLAIM_DATAPORTEN_USERID_SEC logout-url = /oidc/?logout= workaround = feide-oidc
“oidc” in the
logout-url is the same url as the
oidc-block in the
apache configuration and the redirect URI in the Feide dashboard.