Integrating Solid with Apache mod_auth_openidc

First the good news: I’ve managed to integrate the mod_auth_openidc module with the Solid OpenID provider, and it works pretty smooth! This module is very flexible and can be used to authenticate Solid WebID accounts for restricted web areas and backend apps, either directly with the Apache Require directive, or by passing the authenticated REMOTE_USER variable to backend applications written in PHP or whatever.

Very handy if you got Apache apps you want to authenticate with your Solid POD! I’ll provide an example of my setup below - it’s a pretty much standard config from the mod_auth_openidc docs, with a couple of tweaks.

More info about the mod_auth_openidc module here - it can do a lot of interesting OpenID stuff: https://github.com/zmartzone/mod_auth_openidc/

There is one problem with my integration though - the module tries to access the userinfo endpoint on the Solid server (ie. https://your.solid.domain/userinfo , as announced in the Solid servers openid_configration), but the server never returns anything and just hangs. I’m not sure if this is a configuration problem, installation problem or a bug - or maybe the userinfo endpoint is just not implemented in Solid yet?

Anyway, the module still works but hangs for a while whenever it tries to do this, so I’ve just reduced the timeout to 5 seconds for now. Dirty, but for science!

Here’s my current config - and if anyone needs more specific instructions, I can try to write a more detailed guide:

<VirtualHost *:443>
    
ServerName yoursite.example.org
DocumentRoot /srv/www/yoursite.example.org

SSLCertificateFile /etc/letsencrypt/live/yoursite.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yoursite.example.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

# Fetch the providers configuration details for automatic setup
OIDCProviderMetadataURL https://your.solid.domain/.well-known/openid-configuration

# Your servers client ID, same as the one used in the client registration process
OIDCClientID yoursite

# Your servers client password, must match the one returned by the OP during registration
OIDCClientSecret 53053dsfdsgdsgdsgdsgdsgds898gsdd40152a979fb7

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT 
# point to any content
OIDCRedirectURI https://yoursite.example.org/secure/redirect_uri

# Generate a unique passphrase for the local storage
OIDCCryptoPassphrase dsfds432j432j4j3j423j2

# Set the REMOTE_USER variable based on the solid user domain in the WebID
# (ie. from https://user.your.solid.domain/profile/card#me to user.your.solid.domain)
OIDCRemoteUserClaim sub ^https://(.*)/profile

# Reduce timeout (default 60) as a dirty work around for problem with Solids /userinfo
OIDCHTTPTimeoutLong 5

<Location /secure>
   AuthType openid-connect
   Require valid-user
</Location>

</VirtualHost>