Integrating Solid with Apache mod_auth_openidc

ztein · March 10, 2019, 4:36pm

First the good news: I’ve managed to integrate the mod_auth_openidc module with the Solid OpenID provider, and it works pretty smooth! This module is very flexible and can be used to authenticate Solid WebID accounts for restricted web areas and backend apps, either directly with the Apache Require directive, or by passing the authenticated REMOTE_USER variable to backend applications written in PHP or whatever.

Very handy if you got Apache apps you want to authenticate with your Solid POD! I’ll provide an example of my setup below - it’s a pretty much standard config from the mod_auth_openidc docs, with a couple of tweaks.

More info about the mod_auth_openidc module here - it can do a lot of interesting OpenID stuff: https://github.com/zmartzone/mod_auth_openidc/

There is one problem with my integration though - the module tries to access the userinfo endpoint on the Solid server (ie. https://your.solid.domain/userinfo , as announced in the Solid servers openid_configration), but the server never returns anything and just hangs. I’m not sure if this is a configuration problem, installation problem or a bug - or maybe the userinfo endpoint is just not implemented in Solid yet?

Anyway, the module still works but hangs for a while whenever it tries to do this, so I’ve just reduced the timeout to 5 seconds for now. Dirty, but for science!

Here’s my current config - and if anyone needs more specific instructions, I can try to write a more detailed guide:

<VirtualHost *:443>
    
ServerName yoursite.example.org
DocumentRoot /srv/www/yoursite.example.org

SSLCertificateFile /etc/letsencrypt/live/yoursite.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yoursite.example.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

# Fetch the providers configuration details for automatic setup
OIDCProviderMetadataURL https://your.solid.domain/.well-known/openid-configuration

# Your servers client ID, same as the one used in the client registration process
OIDCClientID yoursite

# Your servers client password, must match the one returned by the OP during registration
OIDCClientSecret 53053dsfdsgdsgdsgdsgdsgds898gsdd40152a979fb7

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT 
# point to any content
OIDCRedirectURI https://yoursite.example.org/secure/redirect_uri

# Generate a unique passphrase for the local storage
OIDCCryptoPassphrase dsfds432j432j4j3j423j2

# Set the REMOTE_USER variable based on the solid user domain in the WebID
# (ie. from https://user.your.solid.domain/profile/card#me to user.your.solid.domain)
OIDCRemoteUserClaim sub ^https://(.*)/profile

# Reduce timeout (default 60) as a dirty work around for problem with Solids /userinfo
OIDCHTTPTimeoutLong 5

<Location /secure>
   AuthType openid-connect
   Require valid-user
</Location>

</VirtualHost>

Topic		Replies	Views
Created a Perl client for Solid-OIDC Build a Solid App	1	469	February 25, 2021
Why can't I login to this forum with my WebID? Self Host a Solid Pod	9	1957	November 23, 2018
Trying to use alternative IdPs for solid pod Use Solid	5	422	November 4, 2022
How to use another identity provider with the solid community server locally	5	792	October 25, 2021
Third Party OIDC Identity Provider: How to set up	1	373	May 10, 2022

Integrating Solid with Apache mod_auth_openidc

Related Topics