===========================
libapache2-mod-auth-openidc
===========================

This is an OpenID Connect *Relying Party*, to connect to an OpenID
Connect Identity Provider e.g. :doc:`lemonldap-ng`.

Test install for bullseye/buster::

  apt install libapache2-mod-auth-openidc apache2
  a2enmod auth_openidc 

  # https://github.com/OpenIDC/mod_auth_openidc/wiki/LemonLDAP::NG
  cat <<'EOF' >> /etc/apache2/mods-enabled/auth_openidc.conf
  OIDCProviderMetadataURL http://auth.example.com/.well-known/openid-configuration
  OIDCClientID openidc
  OIDCClientSecret secret
  OIDCRedirectURI http://test1.example.com/redirect_uri
  OIDCCryptoPassphrase test
  EOF

  # https://lemonldap-ng.org/documentation/latest/cli_examples#register-an-openid-connect-relying-party
  /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      addKey \
          oidcRPMetaDataExportedVars/testrp email mail \
          oidcRPMetaDataExportedVars/testrp family_name sn \
          oidcRPMetaDataExportedVars/testrp name cn

  /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      addKey \
          oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID openidc \
          oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret secret
  /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      addKey \
          oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris 'http://test1.example.com/redirect_uri' \
          oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris 'http://test1.example.com/'

  /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      addKey \
          oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
          oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenExpiration 3600 \
          oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600

  cat <<'EOF' > /etc/apache2/sites-available/test1.conf
  <VirtualHost "*:80">
      ServerName test1.example.com
      DocumentRoot /var/www/test1/
      <Location "/">
          AuthType openid-connect
          Require valid-user
          AddHandler cgi-script .cgi
          Options +ExecCGI
      </Location>
  </VirtualHost>
  EOF

  mkdir /var/www/test1/
  cat <<'EOF' > /var/www/test1/index.cgi
  #!/bin/bash
  echo "Content-Type: text/plain"
  echo
  echo "Welcome $REMOTE_USER"
  echo
  env
  EOF
  chmod 755 /var/www/test1/index.cgi

  a2ensite test1
  a2enmod cgid
  service apache2 restart

  # http://test1.example.com/


| Copyright (C) 2025  Sylvain Beucler