2

我有一个在 apache 2.2 上运行并且没有任何身份验证的基本 Web 应用程序。网站内容是静态网页。
我们的小组织目前正在为所有网站实施mod_auth_openidc
我想在基本的静态 Web 应用程序之上实现mod_auth_openidc身份验证。

我怎样才能实现它?
我是 apache 配置和mod_auth_openidc的新手。我用谷歌搜索了一些文章来实现它,但我找不到任何文章。我在 Oauth2 服务器上为我的应用程序创建了一个静态帐户。

有人可以指出我如何使用mod_auth_openidcmod_proxy配置为我的静态网页应用程序启用身份验证的正确方向吗?

<Location />
   AuthType openid-connect
   Require valid-user
</Location>
OIDCProviderMetadataURL https://example.com/fss/.well-known/openid-configuration
OIDCClientID ExampleCorp_Prod_web01
OIDCClientSecret <client-secret>
OIDCRedirectURI http://<ip>/redirect_uri
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /
ProxyPass /  http://<ip>:8080/ nocanon
ProxyPassReverse / http://<ip>:8080/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://<ip>:8080/*>
</Proxy>
OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
LoadModule auth_openidc_module modules/mod_auth_openidc.so
4

1 回答 1

4

Github 项目页面上的 README 中有示例:https ://github.com/zmartzone/mod_auth_openidc 。假设静态网页继续存在/example,在您的特定(PingFederate)示例中,它将类似于:

OIDCProviderMetadataURL https://<pingfederate-host>:9031/.well-known/openid-configuration

OIDCClientID <client-id-as-registered-with-pingfederate>
OIDCClientSecret <client-secret-as-registered-with-pingfederate>

OIDCRedirectURI https://<your-apache-host>/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCScope "openid email profile"

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

基于 OPs 环境的完整工作示例:

Listen 80
User www
Group www
DocumentRoot /opt/local/apache2/htdocs/
ErrorLog "logs/error_log"
LogLevel info
ServerName example.org

LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_user_module   modules/mod_authz_user.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<Location />
   AuthType openid-connect
   Require valid-user
</Location>

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID myclientid
OIDCClientSecret mysecret
OIDCRedirectURI http://example.org/protected/
OIDCScope "profile openid"
OIDCCryptoPassphrase example@3003
OIDCCookiePath /

ProxyPass /  http://192.168.10.1:80/ nocanon
ProxyPassReverse / http://192.168.10.1:80/
ProxyRequests     Off
AllowEncodedSlashes on
<Proxy http://192.168.10.1:8080/*>
</Proxy>

OIDCAuthNHeader X-Forwarded-User
OIDCRemoteUserClaim sub
OIDCClaimPrefix example_
于 2016-04-17T08:53:10.477 回答