Skip to main content

Sample Apache Configuration

This is a sample configuration for the apache web server using the OpenID module mod_auth_openidc

  1. Configure Stanford OP Metadata Download URL (aka Discovery URL) The following example will use UAT environment as an example 
        OIDCProviderMetadataURL https://login.stanford.edu/.well-known/openid-configuration

  2. List your application's redirect uri which you have already registered with OP

     OIDCRedirectURI https://${ServerName}/secure/callback

  3. Pass the secrets in run time

     OIDCClientID ${OIDCCLIENTID}
 OIDCClientSecret ${OIDCCLIENTSECRET}
 OIDCCryptoPassphrase ${OIDCCRYPTOPASSPHRASE}
    • OIDCClientID and OIDCClientSecret are provided by OP
    • OIDCCryptoPassphrase is a password set by you and known only to your application, mainly for crypto purposes, such as encryption of the state cookie and cache entries. See doc for details

  4. Specify the scope

     OIDCScope "openid email profile"

  5. Add PKCE

    OIDCPKCEMethod S256

    Assume this is a browser based application, "authorization code" flow with PKCE is recommended per Oauth 2.0 for Browser-Based App and latest OAuth 2.0 Security Best Practice.

     

  6. Protect your content with openid-connect

    • Example 1: Protect location "/secure" with SSO via OIDC 
      <Location "/secure"> 
   AuthType openid-connect 
   Require valid-user
</Location>
    • Example 2: Protect location "/refeds" with SSO and only allow access if the user has a stanford.edu based email
    <Location "/refeds"> 
            AuthType openid-connect 
            Require claim "email~^[a-zA-Z0-9_]+@stanford.edu$"
    </Location>
  • Example 3:
    • Protect location "/member" with SSO and only allow access if the user has a stanford.edu based email and also has either staff, student or faculty affiliation.
    • See doc for more authorization details.
    • This example requires client to have eduperson_scoped_affiliation in its scope. 
      <Location "/member"> 
<RequireAll>
    AuthType openid-connect 
    Require claim "email~^[a-zA-Z0-9_]+@stanford.edu$"
    Require claim "eduPersonScopedAffiliation~(member|staff|faculty|student)@stanford.edu"       
</RequireAll>    
LogLevel debug 
</Location>
Last modified