{"id":13641933,"url":"https://github.com/OpenIDC/mod_auth_openidc","last_synced_at":"2025-04-20T12:31:01.932Z","repository":{"id":15454495,"uuid":"18187508","full_name":"OpenIDC/mod_auth_openidc","owner":"OpenIDC","description":"OpenID Certified™ OpenID Connect and FAPI 2 Relying Party module for Apache HTTPd","archived":false,"fork":false,"pushed_at":"2025-04-19T09:34:04.000Z","size":6642,"stargazers_count":1032,"open_issues_count":0,"forks_count":331,"subscribers_count":64,"default_branch":"master","last_synced_at":"2025-04-19T15:36:21.192Z","etag":null,"topics":["apache-httpd","authentication","c","identity","oidc","openid-connect","openidc","openidconnect-client","sso"],"latest_commit_sha":null,"homepage":"https://www.openidc.com","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenIDC.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"OpenIDC"}},"created_at":"2014-03-27T18:54:06.000Z","updated_at":"2025-04-19T09:34:08.000Z","dependencies_parsed_at":"2023-11-27T14:25:29.509Z","dependency_job_id":"e65a012f-3835-40c3-9593-c7d3d4b14da6","html_url":"https://github.com/OpenIDC/mod_auth_openidc","commit_stats":null,"previous_names":["zmartzone/mod_auth_openidc"],"tags_count":115,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenIDC%2Fmod_auth_openidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenIDC%2Fmod_auth_openidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenIDC%2Fmod_auth_openidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenIDC%2Fmod_auth_openidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenIDC","download_url":"https://codeload.github.com/OpenIDC/mod_auth_openidc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249893365,"owners_count":21341437,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache-httpd","authentication","c","identity","oidc","openid-connect","openidc","openidconnect-client","sso"],"created_at":"2024-08-02T01:01:25.841Z","updated_at":"2025-04-20T12:31:01.915Z","avatar_url":"https://github.com/OpenIDC.png","language":"C","readme":"[![Build Status](https://github.com/OpenIDC/mod_auth_openidc/actions/workflows/build.yml/badge.svg)](https://github.com/OpenIDC/mod_auth_openidc/actions/workflows/build.yml)\n[\u003cimg width=\"184\" height=\"96\" align=\"right\" src=\"http://openid.net/wordpress-content/uploads/2016/05/oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg\" alt=\"OpenID Certification\"\u003e](https://openid.net/certification)\n[![CodeQL Analysis](https://github.com/OpenIDC/mod_auth_openidc/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/OpenIDC/mod_auth_openidc/actions/workflows/codeql-analysis.yml)\n[![Coverity Scan Build Status](https://scan.coverity.com/projects/31119/badge.svg)](https://scan.coverity.com/projects/openidc-mod_auth_openidc)\n\nmod_auth_openidc\n================\n\n*mod_auth_openidc* is an OpenID Certified™ authentication and authorization module for the Apache 2.x\nHTTP server that implements the OpenID Connect 1.x and FAPI 2.x Relying Party functionality.\n\nOverview\n--------\n\nThis module enables an Apache 2.x web server to operate as an [OpenID Connect](http://openid.net/specs/openid-connect-core-1_0.html)\n*Relying Party* (RP) towards an OpenID Connect *Provider* (OP). It relays end user authentication to a Provider and\nreceives user identity information from that Provider. It then passes on that identity information (a.k.a. claims)\nto applications protected by the Apache web server and establishes an authentication session for the identified user.\n\nThe protected content, applications and services can be hosted by the Apache server itself or served from\norigin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The \nlatter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without\nmodifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based\nOpenID Connect Single Sign On (SSO).\n\nBy default the module sets the `REMOTE_USER` variable to the `id_token` `[sub]` claim, concatenated with the OP's Issuer\nidentifier (`[sub]@[iss]`). Other `id_token` claims are passed in HTTP headers and/or environment variables together with those\n(optionally) obtained from the UserInfo endpoint. The provided HTTP headers and environment variables can be consumed by\napplications protected by the Apache server.\n\nCustom fine-grained authorization rules - based on Apache's `Require` primitives - can be specified to match against the\nset of claims provided in the `id_token`/ `userinfo` claims, see [here](https://github.com/OpenIDC/mod_auth_openidc/wiki/Authorization). \nClustering for resilience and performance can be configured using one of the supported cache backends options as\nlisted [here](https://github.com/OpenIDC/mod_auth_openidc/wiki/Caching).\n\nFor a complete overview of all configuration options, see the file [`auth_openidc.conf`](https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf). \nThis file can also serve as an include file for `httpd.conf`.\n\nHow to Use It  \n-------------\n\n1. install and load `mod_auth_openidc.so` in your Apache server\n1. set `OIDCRedirectURI` to a \"vanity\" URL within a location that is protected by mod_auth_openidc\n1. configure a random password in `OIDCCryptoPassphrase` for session/state encryption purposes\n1. configure `OIDCProviderMetadataURL` so it points to the Discovery metadata of your OpenID Connect Provider served on the `.well-known/openid-configuration` endpoint\n1. register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in `OIDCClientID` and `OIDCClientSecret` respectively\n1. register the `OIDCRedirectURI` configured above as the Redirect or Callback URI for your client at the Provider\n1. configure your protected content/locations with `AuthType openid-connect`\n\nA minimal working configuration would look like:\n```apache\nLoadModule auth_openidc_module modules/mod_auth_openidc.so\n\n# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content\nOIDCRedirectURI https://\u003chostname\u003e/secure/redirect_uri\nOIDCCryptoPassphrase \u003cpassword\u003e\n\nOIDCProviderMetadataURL \u003cissuer\u003e/.well-known/openid-configuration\nOIDCClientID \u003cclient_id\u003e\nOIDCClientSecret \u003cclient_secret\u003e\n\n\u003cLocation /secure\u003e\n   AuthType openid-connect\n   Require valid-user\n\u003c/Location\u003e\n```\nFor claims-based authorization with `Require claim:` directives see the [Wiki page on Authorization](https://github.com/OpenIDC/mod_auth_openidc/wiki/Authorization). For details on configuring multiple providers see the [Wiki](https://github.com/OpenIDC/mod_auth_openidc/wiki/Multiple-Providers).\n\n### Quickstart for specific Providers\n\n- [Keycloak](https://github.com/OpenIDC/mod_auth_openidc/wiki/Keycloak)\n- [Microsoft Entra ID (Azure AD)](https://github.com/OpenIDC/mod_auth_openidc/wiki/Microsoft-Entra-ID--(Azure-AD))\n- [Google Accounts](https://github.com/OpenIDC/mod_auth_openidc/wiki/Google-Accounts)\n- [Sign in with Apple](https://github.com/OpenIDC/mod_auth_openidc/wiki/Sign-in-with-Apple)\n- [GLUU Server](https://github.com/OpenIDC/mod_auth_openidc/wiki/Gluu-Server)\n- [Curity Identity Server](https://github.com/OpenIDC/mod_auth_openidc/wiki/Curity-Identity-Server)\nand [more](https://github.com/OpenIDC/mod_auth_openidc/wiki/Useful-Links)\n\nSee the [Wiki](https://github.com/OpenIDC/mod_auth_openidc/wiki) for configuration docs for other OpenID Connect Providers.\n\nInteroperability and Supported Specifications\n---------------------------------------------\n\n*mod_auth_openidc* is [OpenID Certified™](https://openid.net/certification/#OPENID-RP-P) and supports the following specifications:\n- [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) *(Basic, Implicit, Hybrid and Refresh flows)*\n- [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html)\n- [OpenID Connect Dynamic Client Registration 1.0](http://openid.net/specs/openid-connect-registration-1_0.html)\n- [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)\n- [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126)\n- [RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)](https://tools.ietf.org/html/rfc9449)\n- [FAPI 2.0 Security Profile](https://openid.net/specs/fapi-2_0-security-profile-ID2.html)\n- [OAuth 2.0 Form Post Response Mode 1.0](http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)\n- [OAuth 2.0 Multiple Response Type Encoding Practices 1.0](http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)\n- [OpenID Connect Session Management 1.0](http://openid.net/specs/openid-connect-session-1_0.html) *see the [Wiki](https://github.com/OpenIDC/mod_auth_openidc/wiki/OpenID-Connect-Session-Management) for information on how to configure it)*\n- [OpenID Connect Front-Channel Logout 1.0](http://openid.net/specs/openid-connect-frontchannel-1_0.html)\n- [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html)\n\nSupport\n-------\n\n#### Community\nDocumentation can be found at the Wiki (including Frequently Asked Questions) at:  \n  [https://github.com/OpenIDC/mod_auth_openidc/wiki](https://github.com/OpenIDC/mod_auth_openidc/wiki)  \nFor questions, issues and suggestions use the Github Discussions forum at:  \n  [https://github.com/OpenIDC/mod_auth_openidc/discussions](https://github.com/OpenIDC/mod_auth_openidc/discussions)\n\n#### Commercial\nFor commercial - subscription based - support and licensing please contact:  \n  [sales@openidc.com](mailto:sales@openidc.com)  \n\nDisclaimer\n----------\n\n*This software is open sourced by OpenIDC, a subsidiary of ZmartZone Holding B.V. For commercial services\nyou can contact [OpenIDC](https://www.openidc.com) as described above in the [Support](#support) section.*\n","funding_links":["https://github.com/sponsors/OpenIDC"],"categories":["Relying Parties (RP) Libraries","C","Client Library"],"sub_categories":["C","Other"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOpenIDC%2Fmod_auth_openidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOpenIDC%2Fmod_auth_openidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOpenIDC%2Fmod_auth_openidc/lists"}