libapache2-mod-auth-openidcΒΆ

This is an OpenID Connect Relying Party, to connect to an OpenID Connect Identity Provider e.g. lemonldap-ng.

Test install for bullseye/buster:

apt install libapache2-mod-auth-openidc apache2
a2enmod auth_openidc

# https://github.com/OpenIDC/mod_auth_openidc/wiki/LemonLDAP::NG
cat <<'EOF' >> /etc/apache2/mods-enabled/auth_openidc.conf
OIDCProviderMetadataURL http://auth.example.com/.well-known/openid-configuration
OIDCClientID openidc
OIDCClientSecret secret
OIDCRedirectURI http://test1.example.com/redirect_uri
OIDCCryptoPassphrase test
EOF

# https://lemonldap-ng.org/documentation/latest/cli_examples#register-an-openid-connect-relying-party
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataExportedVars/testrp email mail \
        oidcRPMetaDataExportedVars/testrp family_name sn \
        oidcRPMetaDataExportedVars/testrp name cn

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID openidc \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret secret
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris 'http://test1.example.com/redirect_uri' \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris 'http://test1.example.com/'

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
    addKey \
        oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
        oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenExpiration 3600 \
        oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600

cat <<'EOF' > /etc/apache2/sites-available/test1.conf
<VirtualHost "*:80">
    ServerName test1.example.com
    DocumentRoot /var/www/test1/
    <Location "/">
        AuthType openid-connect
        Require valid-user
        AddHandler cgi-script .cgi
        Options +ExecCGI
    </Location>
</VirtualHost>
EOF

mkdir /var/www/test1/
cat <<'EOF' > /var/www/test1/index.cgi
#!/bin/bash
echo "Content-Type: text/plain"
echo
echo "Welcome $REMOTE_USER"
echo
env
EOF
chmod 755 /var/www/test1/index.cgi

a2ensite test1
a2enmod cgid
service apache2 restart

# http://test1.example.com/
Copyright (C) 2025 Sylvain Beucler