{"id":21980650,"url":"https://github.com/stormpath/stormpath-mod-authnz-external","last_synced_at":"2025-04-30T05:04:15.960Z","repository":{"id":25683451,"uuid":"29119428","full_name":"stormpath/stormpath-mod-authnz-external","owner":"stormpath","description":"Using Stormpath to secure the Apache web server","archived":false,"fork":false,"pushed_at":"2017-03-06T23:57:23.000Z","size":14,"stargazers_count":5,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-30T05:04:11.308Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stormpath.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-12T04:57:24.000Z","updated_at":"2019-08-13T15:59:59.000Z","dependencies_parsed_at":"2022-07-16T23:06:57.065Z","dependency_job_id":null,"html_url":"https://github.com/stormpath/stormpath-mod-authnz-external","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormpath%2Fstormpath-mod-authnz-external","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormpath%2Fstormpath-mod-authnz-external/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormpath%2Fstormpath-mod-authnz-external/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormpath%2Fstormpath-mod-authnz-external/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stormpath","download_url":"https://codeload.github.com/stormpath/stormpath-mod-authnz-external/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251644843,"owners_count":21620632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-29T17:12:30.399Z","updated_at":"2025-04-30T05:04:15.941Z","avatar_url":"https://github.com/stormpath.png","language":"Shell","readme":"#Stormpath is Joining Okta\nWe are incredibly excited to announce that [Stormpath is joining forces with Okta](https://stormpath.com/blog/stormpaths-new-path?utm_source=github\u0026utm_medium=readme\u0026utm-campaign=okta-announcement). Please visit [the Migration FAQs](https://stormpath.com/oktaplusstormpath?utm_source=github\u0026utm_medium=readme\u0026utm-campaign=okta-announcement) for a detailed look at what this means for Stormpath users.\n\nWe're available to answer all questions at [support@stormpath.com](mailto:support@stormpath.com).\n\n# stormpath-mod-authnz-external\n\nUse Stormpath to secure the Apache web server!\n\nThe instructions below are specific to Ubuntu/Debian, but the steps are mostly the same for \\*nix installations (albeit with different commands - `yum` instead of `apt-get`, etc.).\n\n1. Ensure Apache 2.4 or later is installed:\n\n    ```bash\n    sudo apt-get install apache2\n    ```\n2.  Ensure the Apache `mod_authnz_external` and `pwauth` modules are installed:\n\n    ```bash\n    sudo apt-get install libapache2-mod-authnz-external pwauth\n    ```\n\n3.  Ensure these modules are enabled:\n\n    ```bash\n    sudo a2enmod authnz_external\n    sudo a2enmod pwauth\n    ```\n\n4.  Download the `stormpath.sh` shell script that will be executed by `mod_authnz_external` during a login attempt:\n\n    ```bash\n    curl -O https://raw.githubusercontent.com/stormpath/stormpath-mod-authnz-external/master/stormpath.sh\n    ```\n\n5.  Ensure the downloaded file is executable by the apache2 system user (e.g. `www-data` on Ubuntu).  You will also likely want to assign group ownership to the apache system user as well.  For example:\n\n    ```bash\n    sudo chgrp www-data stormpath.sh\n    chmod ug+x stormpath.sh\n    ```\n\n6.  Update your host (or virtual host) configuration to reference the `stormpath.sh` authentication script.  For example, assuming a host `foo.com`:\n\n    ```apache\n    \u003cVirtualHost *:443\u003e\n\n        ServerName foo.com\n        ServerAdmin webmaster@foo.com\n\n        ErrorLog ${APACHE_LOG_DIR}/foo.com.error.log\n        CustomLog ${APACHE_LOG_DIR}/foo.com.access.log combined\n\n        DocumentRoot /var/www/vhosts/foo.com\n\n        DefineExternalAuth stormpath pipe \"/PATH/TO/stormpath.sh /PATH/TO/YOUR/stormpath/apiKey.properties YOUR_STORMPATH_APPLICATION_HREF\"\n\n        \u003cDirectory /var/www/vhosts/foo.com/downloads\u003e\n            AuthType Basic\n            AuthName \"Authenticated Users Only\"\n            AuthBasicProvider external\n            AuthExternal stormpath\n            require valid-user\n        \u003c/Directory\u003e\n\n    \u003c/VirtualHost\u003e\n    ```\n\n    where:\n\n    * `/PATH/TO/stormpath.sh` is the path on your local filesystem to the `stormpath.sh` file you downloaded\n    * `/PATH/TO/YOUR/stormpath/apiKey.properties` is the path on your local filesystem to your personal stormpath `apiKey.properties` file.  This *must* begin with `/`, i.e. it must be a fully qualified path to a file on your operating system.  It must also be readable by the apache system user (e.g. `www-data`)\n    * `YOUR_STORMPATH_APPLICATION_HREF` is the fully qualified `href` of your application record in Stormpath for which users must authenticate.\n\nIn the above example, the `require valid-user` line ensures that only authenticated users of the referenced Stormpath application may access anything in the `/var/www/vhosts/foo.com/downloads` directory.\n\n## Authorization via groups\n\nIn addition to authenticating the users, you can also require them to be in\na specific group or groups. To configure group membership check:\n\n1. Install the `jq` command line tool (needed to parse JSON responses):\n\n    ```bash\n    sudo apt-get install jq\n    ```\n\n2.  Download the `stormpath-group.sh` shell script that will be executed by `mod_authnz_external` to check group membersip (also make sure it's owned by\nand executable by the apache2 system user as in step 5 above):\n    ```bash\n    curl -O https://raw.githubusercontent.com/stormpath/stormpath-mod-authnz-external/master/stormpath-group.sh\n    ```\n\n3. Update your apache2 host configuration to reference the `stormpath-group.sh`\nscript for group membership checks. Assuming a configuration like the above,\nextend it to something like:\n    ```apache\n    \u003cVirtualHost *:443\u003e\n\n        ServerName foo.com\n        ServerAdmin webmaster@foo.com\n\n        ErrorLog ${APACHE_LOG_DIR}/foo.com.error.log\n        CustomLog ${APACHE_LOG_DIR}/foo.com.access.log combined\n\n        DocumentRoot /var/www/vhosts/foo.com\n\n        DefineExternalAuth stormpath pipe \"/PATH/TO/stormpath.sh /PATH/TO/YOUR/stormpath/apiKey.properties YOUR_STORMPATH_APPLICATION_HREF\"\n        DefineExternalGroup stormpath pipe \"/PATH/TO/stormpath-group.sh /PATH/TO/YOUR/stormpath/apiKey.properties USERNAME_OR_EMAIL ANY_OR_ALL\"\n\n        \u003cDirectory /var/www/vhosts/foo.com/downloads\u003e\n            AuthType Basic\n            AuthName \"Authorized Users Only\"\n            AuthBasicProvider external\n            AuthExternal stormpath\n            GroupExternal stormpath\n            \u003cRequireAll\u003e\n                require valid-user\n                require external-group YOUR_STORMPATH_GROUP_HREF\n            \u003c/RequireAll\u003e\n        \u003c/Directory\u003e\n\n    \u003c/VirtualHost\u003e\n    ```\n\n    where:\n\n    * `USERNAME_OR_EMAIL` is either `username` if your users are logging in using their username, or `email` if your users are logging in using their email\n    * `YOUR_STORMPATH_GROUP_HREF` is the fully qualified href of your Stormpath group record in which the user must be to be authorized, or a list of space-separeted group hrefs; note that this href (or list) must not be in double quotes.\n    * `ANY_OR_ALL` is an optional keyword and must be either `all` (the default if not specified), meaning the user must be a member of all listed groups, or `any`, meaning the user must be a member of at least one listed group.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstormpath%2Fstormpath-mod-authnz-external","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstormpath%2Fstormpath-mod-authnz-external","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstormpath%2Fstormpath-mod-authnz-external/lists"}