-
Notifications
You must be signed in to change notification settings - Fork 327
/
auth_openidc.conf
1129 lines (984 loc) · 71.7 KB
/
auth_openidc.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
########################################################################################
#
# Common Settings
#
########################################################################################
# (Mandatory)
# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.
# You can use a relative URL like /protected/redirect_uri if you want to
# support multiple vhosts that belong to the same security domain in a dynamic way
#OIDCRedirectURI https://www.example.com/protected/redirect_uri
# (Mandatory)
# Set a password for crypto purposes, this is used for:
# - encryption of the (temporary) state cookie
# - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType
# Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password, e.g:
# OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
# (notice that the above typically only works in non-clustered environments)
# The command may be absolute or relative to the web server root.
#
# A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase
# will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined),
# both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should
# (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again.
#OIDCCryptoPassphrase [ <passphrase> | "exec:/path/to/otherProgram arg1" ] [ <previous-passphrase> | "exec:/path/to/otherProgram arg2" ]
#
# All other entries below this are optional though some may be required in a
# particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party
#
# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client
# Registration and account-based OP Discovery.
# Specifies the directory that holds metadata files (must be writable for the Apache process/user).
# When not specified, it is assumed that we use a single statically configured provider as
# described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL.
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata
########################################################################################
#
# OpenID Connect Provider
#
# For configuration of a single static provider, not using OpenID Connect Provider Discovery.
#
########################################################################################
# URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration)
# The obtained metadata will be cached and refreshed every 24 hours.
# If set, individual entries below will not have to be configured but can be used to add
# extra entries/endpoints to settings obtained from the metadata.
# If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single
# static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs.
#OIDCProviderMetadataURL <url>
# OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderIssuer <issuer>
# OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderAuthorizationEndpoint <authorization_endpoint>
# OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS)
# i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set jwks_uri.
#OIDCProviderJwksUri <jwks_url>
# OpenID Connect Provider Signed JWKS URL (e.g. https://localhost:9031/pf/JWKS) followed by the verification key set
# formatted as either JWK or JWKS. The verification key set is used to verify the provided JWKs value.
# Specifying multiple keys allows the OP rotate the key used for signing the JWKs.
# I.e this is the URL on which the ID Token signing keys for this OP are hosted, in verifiable JWT formatting
# rather than relying on TLS for authentication and integrity protection.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set signed_jwks_uri.
# When defined it takes precedence over OIDCProviderJwksUri
# Examples:
# OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}"
# OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"keys\":[{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}]}"
# NB: for multi-OP setups:
# the 1st parameter is not used, it needs to be set anyhow (e.g. to "") if you wish to used the 2nd parameter
# the 2nd parameter is the default verification JWK for content pulled from the signed_jwks_uri for all providers and
# and its can be overridden with a per-provider key in the <issuer>.conf file using the key: signed_jwks_uri_key
#OIDCProviderSignedJwksUri <jwks_url> [ <jwks> | <jwk> ]
# The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public
# keys that can be used for ID Token verification.
# NB: this is one or more key tuples where a key tuple consists of:
# ["sig:"|"enc:"][<key-identifier>#]<path-to-cert>
# and the key identifier part is required when the ID Token contains a "kid" in its header.
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL
#OIDCProviderVerifyCertFiles (["sig:"|"enc:"][<kid>#]<filename>)+
# OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderTokenEndpoint <token_endpoint>
# Authentication method for the OpenID Connect Provider Token Endpoint.
# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set before this directive is applied.
# When not defined the default method from the specification is used, i.e. "client_secret_basic".
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
# NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth
#OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ]
# Extra parameters that need to be passed in the POST request to the Token Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params
#OIDCProviderTokenEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]*
# OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid)
# When not defined no claims will be resolved from such endpoint.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderUserInfoEndpoint <user_info_endpoint>
# OpenID OP Check Session iFrame URL, for Session Management purposes.
# When not defined, no Session Management will be applied.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderCheckSessionIFrame <url>
# OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes.
# When not defined, no logout to the OP will be performed.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderEndSessionEndpoint <url>
# Extra parameters that will be sent along with the Logout Request.
# These must be URL-query-encoded as in: "client_id=myclient&prompt=none".
# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params
#OIDCLogoutRequestParams <query-encoded-string>
# The RFC 7009 Token Revocation Endpoint URL.
# When defined, the refresh token and access token stored in an OIDC session will be revoked on logout.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderRevocationEndpoint <url>
# The RFC 9126 Pushed Authorization Request endpoint URL.
# When not defined, PAR cannot be used to send authentication requests, see also OIDCProviderAuthRequestMethod
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderPushedAuthorizationRequestEndpoint <url>
# Define whether the OP supports OpenID Connect Back Channel Logout.
# According to: https://openid.net/specs/openid-connect-backchannel-1_0.html
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderBackChannelLogoutSupported [On|Off]
# Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint.
# This settings serves as a default value for multiple OPs only.
# Parameter names and values need to be provided in JSON form and will be merged in to the request.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_json
#OIDCProviderRegistrationEndpointJson <json-string>
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
# When not defined, the bare minimal scope "openid" is used.
# NB: multiple scope values must be enclosed in a single pair of double quotes
# NB: this can be overridden on a per-OP basis in the .conf file using the key: scope
#OIDCScope "<scope(s)-separated-by-spaces-and-enclosed-in-double-quotes>"
# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent" or
# specific for Google's implementation: "approval_prompt=force".
# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
# As an alternative to this option, one may choose to add the parameters as
# part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint"
# in the .provider metadata (though that would not work with Discovery OPs).
#
# One can pass on query parameters from the request to the authorization request by adding
# e.g. "foo=#" which which will dynamically pull in the query parameter value from the
# request query parameter and add it to the authentication request to the OP.
#
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params
#OIDCAuthRequestParams <query-encoded-string>
# Require a valid SSL server certificate when communicating with the OP.
# (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint)
# When not defined, the default value is "On".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server
#OIDCSSLValidateServer [On|Off]
# Sets the path to the CA bundle to be used by cURL
# When not defined, the default bundle for libcurl is used as provided by the platform.
#OIDCCABundlePath <path>
# Require configured issuer to match the issuer returned in id_token.
# (Disable to support Azure AD multi-tenant applications.)
# When not defined, the default value is "On".
#OIDCValidateIssuer [On|Off]
# The refresh interval in seconds for the claims obtained from the userinfo endpoint
# When not defined the claims are retrieved only once, at session creation time.
# If refreshing fails, it is assumed that the access token is expired and an attempt will be made
# to refresh the access token using the refresh token grant, after which a second attempt is made
# to obtain claims from the userinfo endpoint with the new access token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval
# The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails.
# The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails.
#OIDCUserInfoRefreshInterval <seconds> [ logout_on_error | authenticate_on_error | 502_on_error ]
# The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri.
# When not defined the default is 3600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval
# NB: this refresh interval is shared with OIDCOAuthVerifyJwksUri
#OIDCJWKSRefreshInterval <seconds>
# Defines the way in which the access token will be presented to the userinfo endpoint
# "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET
# "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST
# When not defined the default is "authz_header".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method
#OIDCUserInfoTokenMethod [authz_header|post_param]
# Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint.
# "GET" means that the parameters will be passed as query parameters in an HTTP GET
# "POST" means that the parameters will be passed as form-post parameters in an HTTP POST
# "PAR" means that parameters will be sent to the Pushed Authorization Endpoint
# When not defined the default is "GET".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method
#OIDCProviderAuthRequestMethod [ GET | POST | PAR ]
# The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates
# that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP.
# One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles.
# When not defined no encryption will be requested.
# You can also prefix <filename> with a JWK key identifier to manually override the automatically
# generated "kid" that will be used for this key in the JWKs derived from this certificate and
# published at OIDCClientJwksUri.
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign)
#OIDCPublicKeyFiles (["sig:"|"enc:"][<kid>#]<filename>)+
# The fully qualified names of the files that contain the PEM-formatted RSA/EC private
# keys that can be used to decrypt content sent to us by the OP.
# These keys must correspond to the public keys defined in OIDCPublicKeyFiles.
# When not defined no decryption will be possible.
# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc)
#OIDCPrivateKeyFiles (["sig:"|"enc:"][<kid>#]<filename>)+
########################################################################################
#
# OpenID Connect Client
#
# Settings used by the client in communication with the OpenID Connect Provider(s),
# i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access.
# These settings are used when a single static provider is configured and serve as defaults
# when multiple providers are configured.
#
########################################################################################
# The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too)
# When not defined the "code" response type is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type
#OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"]
# The response mode used (this serves as default value for discovered OPs too)
# When not defined the default response mode for the requested flow (OIDCResponseType) is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode
#OIDCResponseMode [fragment|query|form_post]
# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client identifier used in calls to the statically configured OpenID Connect Provider.
#OIDCClientID <client_id>
# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client secret used in calls to the statically configured OpenID Connect Provider.
# (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token")
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the
# secret. The command may be absolute or relative to the web server root.
#OIDCClientSecret [ <client_secret> | "exec:/path/to/otherProgram argument1" ]
# Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the
# token endpoint of the OAuth 2.0 Authorization server.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert
#OIDCClientTokenEndpointCert <filename>
# Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the
# Client in calls to the token endpoint of the OAuth 2.0 Authorization server.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key
#OIDCClientTokenEndpointKey <filename>
# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the
# Client in calls to the token endpoint of the OAuth 2.0 Authorization server.
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password.
# The command may be absolute or relative to the web server root.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd
#OIDCClientTokenEndpointKeyPassword [ <passphrase> | "exec:/path/to/otherProgram arg1" ]
# The client name that the client registers in dynamic registration with the OP.
# When not defined, no client name will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name
#OIDCClientName <client_name>
# The contacts that the client registers in dynamic registration with the OP.
# Must be formatted as e-mail addresses by specification.
# Single value only; when not defined, no contact e-mail address will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact
#OIDCClientContact <contact>
# The PKCE method used (this serves as default value for multi-provider OPs too)
# When not defined S256 is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method
#OIDCPKCEMethod [ S256 | plain | |none ]
# The DPoP mode used (this serves as default value for multi-provider OPs too)
# off: no DPoP token is requested from the OP
# optional: a DPoP token is requested from the OP but we'll continue even if the returned token is Bearer
# required: a DPoP token is requested from the OP and we'll fail if the returned token type is not DPoP
# When not defined "off" is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: dpop_mode
# The 2nd parameter is used to optionally enable an API for creating DPoP proofs on:
# <redirect_uri>?dpop=<access_token>&url=<url>[&method=<method][&nonce=<nonce>]
# When not defined "off" is used.
#OIDCDPoPMode [off|optional|required] [on|off]
# (used only in dynamic client registration)
# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be
# used during client registration to point to the JWK set with public keys for this client.
# If not defined the default <redirect_uri>?jwks=rsa will be used, on which a JWK set
# is automatically published based on the OIDCPublicKeyFiles setting so normally you don't
# need to touch this unless this client is on a (test) host that is not reachable from the internet.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri
#OIDCClientJwksUri <url>
# The algorithm that the OP should use to sign the id_token.
# When not defined the default that the OP should use by spec is RS256.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg
#OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]
# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token.
# When not defined the default (by spec) is that the OP does not encrypt the id_token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg
#OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]
# The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key.
# If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided.
# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc
#OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM]
# The algorithm that the OP should use to sign the UserInfo response
# When not defined the default (by spec) is that the OP does not sign the response.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg
#OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]
# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response.
# When not defined the default (by spec) is that the OP does not encrypt the response.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg
#OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]
# The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key
# If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided.
# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc
#OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM]
########################################################################################
#
# WARNING:
#
# THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED
# BY A SEPARATE MODULE, SEE: https://github.com/OpenIDC/mod_oauth2
#
# OAuth 2.0 Resource Server Settings
#
# Used when this module functions as a Resource Server against an OAuth 2.0 Authorization
# Server, introspecting/validating bearer Access Tokens.
#
########################################################################################
# URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server)
# as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours.
# If set, individual entries below will not have to be configured but can be used to add
# extra entries/endpoints to settings obtained from the metadata.
# If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured.
#OIDCOAuthServerMetadataURL <url>
# (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation)
# OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2)
#OIDCOAuthIntrospectionEndpoint <token-introspection-endpoint>
# Client identifier used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientID <client_id>
# Client secret used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientSecret <client_secret>
# Authentication method for the OAuth 2.0 Authorization Server introspection endpoint,
# Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret
# when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post"
# has been configured.
# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set.
# When not defined "client_secret_basic" is used.
#OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ]
# Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured.
# Specifies a static token to be used for authorizing the call to the introspection endpoint.
# If empty, the introspected token will be used for authorization as well.
#OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ]
# Filename that contains the PEM-formatted client certificate used to authenticate the
# caller in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthIntrospectionEndpointCert <filename>
# Filename that contains the PEM-formatted private key that belongs to the client certificate used
# to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthIntrospectionEndpointKey <filename>
# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the
# Client in calls to the token introspection endpoint of the OAuth 2.0 Authorization server.
# If the value begins with exec: the resulting command will be executed and the
# first line returned to standard output by the program will be used as the password.
# The command may be absolute or relative to the web server root.
#OIDCOAuthIntrospectionEndpointKeyPassword [ <passphrase> | "exec:/path/to/otherProgram arg1" ]
# Define the HTTP method to use for the introspection call. Must be GET or POST.
# When not defined the default is POST.
#OIDCOAuthIntrospectionEndpointMethod [POST|GET]
# Extra parameters that need to be passed in the POST request to the Introspection Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
#OIDCOAuthIntrospectionEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]*
# Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint.
# When not defined the default "token" is used.
#OIDCOAuthIntrospectionTokenParamName <param_name>
# Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since
# 1970), relative (seconds from now after which the token will expire), and whether it is optional.
# If the claim is optional and not found in the response, the introspection result will not be cached.
# (which means that the overall performance may suffer)
#
# Only applies when the "active" claim is not found in the introspection response, which is interpreted as
# an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom.
#
# When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching
# Google and PingFederate's introspection behavior.
#OIDCOAuthTokenExpiryClaim <claim-name> [absolute|relative] [mandatory|optional]
# Define the interval in seconds after which a cached and introspected access token needs
# to be refreshed by introspecting (and validating) it again against the Authorization Server.
# (can be configured on a per-path basis)
# When not defined the value is 0, which means it only expires after the `exp` (or alternative,
# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server.
# When set to -1, caching of the introspection results is disabled and the token will be introspected
# on each request presenting it.
#OIDCOAuthTokenIntrospectionInterval <seconds>
# Require a valid SSL server certificate when communicating with the Authorization Server
# on the token introspection endpoint. When not defined, the default value is "On".
#OIDCOAuthSSLValidateServer [On|Off]
# The symmetric shared key(s) that can be used for local JWT access token validation.
# NB: this is one or more key tuples where a key tuple consists of:
# ["sig:"|"enc:"]plain|b64|hex#[<key-identifier>]#<key>
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# When not defined, no access token validation with shared keys will be performed.
# Examples:
# - a plaintext secret and a key identifier (kid)
# plain#1#mysecret
# - a base64 encoded secret, no key identifier provided
# b64##AF515DE==
# - a hex encoded secret, no key identifier provided
# hex##ede012
#OIDCOAuthVerifySharedKeys (["sig:"|"enc:"]plain|b64|hex#[<kid>#]<key>)+
# The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public
# keys that can be used for local JWT access token verification.
# NB: this is one or more key tuples where a key tuple consists of:
# ["sig:"|"enc:"][<key-identifier>#]<path-to-cert>
# and the key identifier part is required when the JWT access token contains a "kid" in its header.
# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption.
# When not defined, no access token validation with statically configured certificates will be performed.
#OIDCOAuthVerifyCertFiles (["sig:"|"enc:"][<kid>#]<filename>)+
# The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
# When not defined local validation of JWTs can still be done using statically configured keys,
# by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys.
#OIDCOAuthVerifyJwksUri <jwks_url>
# The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths.
# When not defined the default "sub" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# claim value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#
# An optional 3rd parameter can be added that would contain string with number backrefrences.
# Backrefrences must be in the form $1, $2.. etc.
# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use
# ^(.*)@([^.]+)\..+$ $2\\$1
#OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>] [substitution-string]
# Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server.
# Must be one or several of:
# "header" : an "Authorization: bearer" header
# "post" : an HTTP Post parameter called "access_token"
# "query" : as an HTTP query parameter called "access_token"
# "cookie" : as a cookie header called "PA.global" or using the name specified after ":"
# "basic": as a HTTP Basic Auth (RFC2617, section 2) password, with any username
# When not defined the default "header" is used.
#OIDCOAuthAcceptTokenAs [header|post|query|cookie[:<cookie-name>|basic]+
########################################################################################
#
# Cookie Settings
#
########################################################################################
# Define the cookie path for the "state" and "session" cookies.
# When not defined the default is a server-wide "/".
#OIDCCookiePath <cookie-path>
# Specify the domain for which the "state" and "session" cookies will be set.
# This must match the OIDCRedirectURI and the URL on which you host your protected
# application. Use the literal value of the domain name that will end up in the "Domain"
# attribute value for the Set-Cookie header, no leading dot required.
# Example domain- (instead of default host-)wide cookie:
# OIDCCookieDomain example.org
# When not defined the default is the server hostname that is currently accessed.
#OIDCCookieDomain <cookie-domain>
# Define the cookie name for the session cookie.
# When not defined the default is "mod_auth_openidc_session".
#OIDCCookie <cookie-name>
# OpenID Connect session cookie chunk size.
# When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session
# data needs to be stored, typically the size depends on the "scopes" of information you request. To work
# around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split
# over a number of "chunked" cookies if the resulting session data is over a certain number of bytes,
# If you want to prevent splitting the session cookie regardless of its size, set the value to 0.
# When not defined the default chunk size is 4000 bytes
#OIDCSessionCookieChunkSize <bytes>
# Defines whether the HttpOnly flag will be set on cookies.
# When not defined the default is On.
#OIDCCookieHTTPOnly [On|Off]
# Defines whether the SameSite flag will be set on cookies.
# When On the following will apply:
# state cookie: Lax
# session cookie: Lax
# x_csrf discovery: Strict:
#
# The default `SameSite=None` cookie appendix on `Set-Cookie` response headers can be
# conditionally overridden using an environment variable in the Apache config as in:
# SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=;
#
# When not defined the default is On.
#OIDCCookieSameSite [On|Off]
# Specify the names of cookies to pickup from the browser and send along on backchannel
# calls to the OP and AS endpoints. This can be used for load-balancing purposes.
# When not defined, no such cookies are sent.
#OIDCPassCookies [<cookie-name>]+
# Specify the names of cookies to strip from the incoming request so they are not passed
# on to the target application(s). This may prevent a large set of chunked session cookies to
# be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting):
# mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
# When not defined, no cookies are stripped.
#OIDCStripCookies [<cookie-name>]+
# Specify the maximum number of state cookies i.e. the maximum number of parallel outstanding
# authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331
# Setting this to 0 means unlimited, until the browser or server gives up which is the
# behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option.
#
# The optional second boolean parameter if the oldest state cookie(s) will be deleted,
# even if still valid; see #399.
#
# When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted.
#OIDCStateMaxNumberOfCookies <number> [false|true]
# Define the cookie prefix for the state cookie.
# When not defined the default is "mod_auth_openidc_state_".
#OIDCStateCookiePrefix <cookie-prefix>
########################################################################################
#
# Session Settings (only relevant in an OpenID Connect Relying Party setup)
#
########################################################################################
# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
#OIDCSessionInactivityTimeout <seconds>
# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
#OIDCSessionMaxDuration <seconds>
# OpenID Connect session storage type.
# "server-cache" server-side caching storage.
# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next
# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts
# instead of a session cookie that is tied to the lifetime of the browser session.
# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting.
# A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored
# in the session to be used as id_token_hint in a logout request to the OP later.
# When not defined the default "server-cache" is used.
#OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ]
# Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary
# cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of:
# a) performance
# 1) since on each subsequent request the primary cache will still be polled and
# failback will happen as soon as the primary cache is available again
# 2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType
# b) security, since nonce's and jti's are not cached, see: OIDCCacheType
# c) (prototype) functionality, since request_uri's won't work anymore
# When not defined the default is "Off".
#OIDCSessionCacheFallbackToCookie [On|Off]
########################################################################################
#
# Cache Settings
#
########################################################################################
# Cache type, used for temporary storage that is shared across Apache processes/servers for:
# - authenticated user session state
# - nonce values from authorization requests (to prevent replay attacks)
# - validated OAuth 2.0 access tokens
# - refresh tokens during their usage in a refresh token request i.e. refreshing an access token and possible the refresh token itself
# - JWK sets that have been retrieved from jwk_uri's (to validate id_token, logout_token, JWT access_token and JWT userinfo response)
# - resolved OP metadata when using OIDCProviderMetadataUrl and/or OIDCOAuthServerMetadataURL
# - jti values from logout_token when receiving Backchannel Logout requests
# - temporary state associated with Request URI's
# - signed JWTs when using OIDCPassUserInfoAs signed_jwt and environment variable OIDC_USERINFO_SIGNED_JWT_CACHE_TTL
# - JQ filter results when using OIDCFilterClaimsExpr and/or OIDCUserInfoClaimsExpr and/or Require claims_expr
# must be one of \"shm\", \"memcache\", \"file\" or, if Redis/Valkey support is compiled in, \"redis\"
# When not defined, "shm" (shared memory) is used.
#OIDCCacheType [shm|memcache|file[|redis]]
# Indicate whether data in the cache backend should be encrypted.
# When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends
#OIDCCacheEncrypt [On|Off]
# When using OIDCCacheType "shm":
# Specifies the maximum number of name/value pair entries that can be cached.
# When caching a large number of entries the cache size limit may be reached and the
# least recently used entry will be overwritten. If this happens within 1 hour,
# errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased.
# When not specified, a default of 10000 entries is used.
#OIDCCacheShmMax <number>
# When using OIDCCacheType "shm":
# Specifies the maximum size for a single cache entry in bytes with a minimum of 8736 bytes.
# The value must a multiple of 8 bytes.
# When caching large values such as numbers of attributes in a session or large metadata documents the
# entry size limit may be overrun, in which case errors will be displayed in the error.log
# and the OIDCCacheShmEntrySizeMax value has to be increased.
# When not specified, a default entry size of 16928 bytes (16384 value + 512 key + 32 overhead) is used.
#OIDCCacheShmEntrySizeMax <bytes>
# When using OIDCCacheType "file":
# Directory that holds cache files; must be writable for the Apache process/user.
# When not specified a system defined temporary directory (/tmp) will be used.
#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache
# When using OIDCCacheType "file":
# Cache file clean interval in seconds (only triggered on writes).
# When not specified a default of 60 seconds is used.
#OIDCCacheFileCleanInterval <seconds>
# Required when using OIDCCacheType "memcache":
# Specifies the memcache servers used for caching as a space separated list of <hostname>[:<port>] tuples.
#OIDCMemCacheServers "(<hostname>[:<port>])+"
# Minimum number of connections to each Memcache server per process. Defaults to
# OIDCMemCacheConnectionsHMax.
#OIDCMemCacheConnectionsMin <number>
# All connections above this limit will be closed if they have been idle for
# more than OIDCMemCacheConnectionsTTL. Defaults to OIDCMemCacheConnectionsHMax.
#OIDCMemCacheConnectionsSMax <number>
# Maximum number of connections to each Memcache server per process. Defaults to
# ThreadsPerChild or if mod_http2 is loaded to ThreadsPerChild - 1 + H2MaxWorkers.
#OIDCMemCacheConnectionsHMax <number>
# Maximum time in seconds a connection to a Memcache server can be idle before
# being closed. Defaults to 60 seconds.
# Only for Apache >= 2.4.x: By adding a postfix of ms, the timeout can be also
# set in milliseconds. Defaults to 60 seconds.
#OIDCMemCacheConnectionsTTL <seconds>
# Required if Redis/Valkey support is compiled in and when using OIDCCacheType "redis":
# Specifies the Redis/Valkey server used for caching as a <hostname>[:<port>] tuple.
#OIDCRedisCacheServer <hostname>[:<port>]
# Password to be used if the Redis/Valkey server requires authentication: http://redis.io/commands/auth
# When not specified, no authentication is performed.
#OIDCRedisCachePassword <password>
# Username to be used if the Redis/Valkey server requires authentication: http://redis.io/commands/auth
# NB: this can only used with Redis/Valkey 6 (ACLs) or later
# When not specified, the implicit user "default" is used
#OIDCRedisCacheUsername <username>
# Logical database to select on the Redis/Valkey server: https://redis.io/commands/select
# When not defined the default database 0 is used.
#OIDCRedisCacheDatabase <number>
# Timeout (in seconds) for connecting to the Redis/Valkey server.
# An optional 2nd parameter can be supplied to set the keepalive interval (in seconds) on the
# TCP connection to the Redis/Valkey server. 0 disables keepalive.
# NB: the interval setting only works when compiled and running with hiredis >= 1.2.0
# when compiled and running with hiredis < 1.2.0 any value > 0 will apply the default interval
# When not defined the default connect timeout is 5 seconds and the default hiredis keepalive (15s) is applied.
#OIDCRedisCacheConnectTimeout <connect-timeout> [0|<keep-alive-interval>]
# Timeout waiting for a response of the Redis/Valkey server after a request was sent.
# When not defined the default timeout is 5 seconds.
#OIDCRedisCacheTimeout <seconds>
########################################################################################
#
# Advanced Settings
#
########################################################################################
# Defines an external OP Discovery page. That page will be called with:
# <discovery-url>?oidc_callback=<callback-url>
# additional parameters may be added, a.o. `target_link_uri`, `x_csrf` and `method`.
#
# An Issuer selection can be passed back to the callback URL as in:
# <callback-url>?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=<login-hint>][&scopes=<scopes>][&auth_request_params=<params>]
# where the <iss> parameter contains the URL-encoded issuer value of
# the selected Provider, or a URL-encoded account name for OpenID
# Connect Discovery purposes (aka. e-mail style identifier), or a domain name.
# [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=<url>&x_csrf=<x_csrf>&method=<method>&scopes=<scopes>)
#
# When not defined the bare-bones internal OP Discovery page is used.
#OIDCDiscoverURL <discovery-url>
# Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri
# has been provided. The user is also redirected to this URL in case an invalid authorization
# response was received.
# The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user.
#OIDCDefaultURL <relative-or-absolute-url>
# Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout.
# When not defined and no URL was passed explicitly, a default internal page will be shown.
#OIDCDefaultLoggedOutURL <relative-or-absolute-url>
# Define the OpenID Connect scope(s) that is requested from the OP (eg. "admin edit")
# on a per-path basis in addition to the per-provider configured scopes (OIDCScope).
# Multiple scope values must be enclosed in a single pair of double quotes.
# Apache expressions can be used to pass dynamic runtime determined values.
# The default is to not add extra scopes.
#OIDCPathScope "<scope(s)-separated-by-spaces-and-enclosed-in-double-quotes>"
# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent".
# This can be configured on a per-path basis across all configured Providers.
# One can pass on query parameters from the request to the authorization request by adding
# e.g. "foo=#" which which will dynamically pull in the query parameter value from the
# request query parameter and add it to the authentication request to the OP.
# Apache expressions can be used to pass dynamic runtime determined values.
# The default is to not add extra parameters.
#OIDCPathAuthRequestParams <query-encoded-string>
# Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token.
# When not defined the default is 600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack
#OIDCIDTokenIatSlack <seconds>
# The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup.
# When not defined, the default "OIDC_CLAIM_" is used.
#OIDCClaimPrefix <prefix>
# The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# When not defined the default "," is used.
#OIDCClaimDelimiter <char>
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
# If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the
# \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs.
# When not defined the default "sub@" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# resulting value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#
# An optional 3rd parameter can be added that would contain string with number backrefrences.
# Backrefrences must be in the form $1, $2.. etc.
# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use
# ^(.*)@([^.]+)\..+$ $2\\$1
#OIDCRemoteUserClaim <claim-name>[@] [<regular-expression>] [substitution-string]
# Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs.
# Must be one or several of:
# "claims" : the claims in the id_token are passed in individual headers/environment variables
# "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable
# "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable
# Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly
# configured to do so) and as such the header for the "serialized" option will not be set.
# Can be configured on a per Directory/Location basis. When not defined the default "claims" is used..
#OIDCPassIDTokenAs [claims|payload|serialized]+
# Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs.
# Must be one or several of:
# "claims" :
# the userinfo claims are passed in individual headers/environment variables
# "json[:<name]" :
# a self-contained userinfo JSON object is passed in the "OIDC_userinfo_json" or <name> header/environment variable
# "jwt[:<name]" :
# the signed/encrypted JWT (if available!) resolved from the userinfo endpoint is passed in the
# "OIDC_userinfo_jwt" or <name> header/environment variable
# "signed_jwt[:<name]" :
# the userinfo claims are passed in a JWT signed by mod_auth_openidc
# in the "OIDC_signed_jwt" or <name> header/environment variable
# - requires OIDCPrivateKeyFiles/OIDCPublicKeyFiles set with a RSA key (RS256) or a prime256v1 Elliptic Curve key(s) (ES256),
# the first RSA/EC signing key in the configured list will be used
# - the "expires_in" hint from the access_token is used in the "exp" claim; defaults to 60 seconds if not returned by the OP.
# - caching of the signed JWT - use with care only - can be configured using:
# SetEnvIfExpr true OIDC_USERINFO_SIGNED_JWT_CACHE_TTL=<seconds>
# or for the duration of the - possibly processed - "exp" claim when set to "0"
# Can be configured on a per Directory/Location basis. When not defined the default "claims" is used..
#OIDCPassUserInfoAs [claims|json[:<name>]|jwt[:<name>]|signed_jwt[:<name>]]+
# Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: process the claims
# returned from the userinfo endpoint with a JQ-based expression before propagating them according
# to OIDCPassUserInfoAs claims|json|signed_jwt (ie. does not work for "OIDCPassUserInfoAs jwt")
#
# Overwrite the default (provider) "iss" claim, and delete the default "aud" and "name" claims:
# '. + { iss: "https://myissuer.com" } | del(.aud, .name)'
# Add new claim with a variable value obtained from an Apache expression https://httpd.apache.org/docs/2.4/expr.html:
# (be aware that when used with "OIDCPassUserInfoAs signed_jwt" it results in a cached JWT per-user/per-path)
# '. + { path: "%{REQUEST_URI}" }'
# Keep sub only:
# '{ sub: .sub }'
# Filter out all elements in the "groups" array of strings that contain "DC=Company" :
# '. + { groups: (.groups - (.groups | map(select(contains("DC=Company"))))) }'
# Filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* :
# '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }'
# Can be configured on a per Directory/Location basis. When not defined no processing will be applied.
#OIDCUserInfoClaimsExpr <jq-filter>
# Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: applies
# a JQ filter to claims in the both the id_token and claims returned from the userinfo endpoint
# before storing them in the session after applying (optional) toplevel blacklisting/whitelisting
# with OIDCBlackListedClaims/OIDCWhiteListedClaims, e.g.:
# filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.*
# '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }'
# whitelist only "name" and "sub" claims:
# '{name, sub}'
# delete "groups", "exp" and "iat"
# 'del(.groups,.exp,.iat)'
# When not defined no processing will be applied and all claims will be stored in the session.
#OIDCFilterClaimsExpr <jq-filter>
# Define the way in which the (processed) claims and tokens are passed to the application environment:
# "none": no claims/tokens are passed
# "environment": claims/tokens are passed as environment variables
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
#
# A second parameter can be specified that defines the encodong applied to all values passed in headers
# and environment variables:
# "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character.
# "base64url" applies base64url encoding
# "none" applies no encoding and copies literal values from the claims into the headers/environment variables
# When not defined the default is "both" and "latin1" encoding is applied to the header/environment values.
#
# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires.
# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken)
#OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none]
# Specify the HTTP header variable name to set with the name of the authenticated user,
# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim.
# When not defined no such header is added.
# This setting can be configured for both the "openid-connect" and "oauth20" AuthType on
# a server-wide or directory level.
#OIDCAuthNHeader <header-name>
# Timeout in seconds for long duration HTTP calls. This defines the maximum duration that a request make take to
# to complete and is used for most requests to remote endpoints/servers.
# The optional <connect-timeout> parameter specifies the connect timeout in seconds, as part of the overall request timeout.
# The optional <retries> parameter specifies the number of retry attempts in case of connectivity errors.
# When not defined the default of 30 seconds is used, with a 10 second connect timeout, using 1 retry after
# an interval of 500ms.
#OIDCHTTPTimeoutLong <seconds> [<connect-timeout>] [<retries>[:<retry-interval-ms>]]
# Timeout in seconds for short duration HTTP calls. This defines the maximum duration that a request may take to
# to complete and is used for Client Registration and OP Discovery requests.
# The optional <connect-timeout> parameter specifies the connect timeout in seconds, as part of the overall request timeout.
# The optional <retries> parameter specifies the number of retry attempts in case of connectivity errors.
# When not defined the default of 5 seconds is used, with a 2 second connect timeout, using 1 retry with
# an interval of 500ms.
#OIDCHTTPTimeoutShort <seconds> [<connect-timeout>] [<retries>[:<retry-interval-ms>]]
# Time to live in seconds for state parameter i.e. the interval in which the authorization request
# and the corresponding response need to be processed. When not defined the default of 300 seconds is used.
#OIDCStateTimeout <seconds>
# Specify an outgoing proxy for your network. When running on a platform with a recent version of
# libcurl you can also specify the network protocol, see: https://curl.se/libcurl/c/CURLOPT_PROXY.html
# When not defined no outgoing proxy is used.
#OIDCOutgoingProxy [<scheme>://]<host>[:<port>] [<username>:<password>] [basic|digest|negotiate|ntlm|any]
# Defines the action to be taken when an unauthenticated request is made.
#
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "407" means that HTTP 407 Proxy Authentication Required is returned
# "410" means that HTTP 410 Gone is returned
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
#
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
#
# When not defined the default is "auth" with auto-detection of requests that woult not be able to complete
# an authentication round trip to the OpenID Connect Provider, which would receive a 401.
# The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, or
# the presence of a Sec-Fetch-Mode header with a value that is not equal to "navigate", or the presence of
# a Sec-Fetch-Dest header with a value that is not equal to "document" or the absence of
# an "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*"
# and returns 401 for such non-auth-capable requests, e.g. XML HTTP Requests, image loading requests etc.
# that would create a state cookie but never return to delete it.
# See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#tldr
#
# Only for Apache >= 2.4.x:
# Since verson 2.4.4 a boolean Apache expression as the second parameter to specify which requests
# need to match to return the configured value in the first parameter to override the default "auth".
# See also: https://httpd.apache.org/docs/2.4/expr.html.
# E.g to only return 401 for cURL based user agents and "auth" for any other browsers/user agents:
# OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/"
# to effectively override the default XML request detection algorithm by ignoring the Sec-Fetch-Mode,
# Sec-Fetch-Dest and Accept headers:
# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'"
# to return 401 for all user agents that do not send an Accept header that includes a "text/html" value:
# OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#"
# or as a more complex example, which equals the default XML request detection algorithm:
# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
# || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \
# || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' ) \
# || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) \
# && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \
# && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )"
# To enable authentication in an iframe you need to change the Sec-Fetch-Dest part above in:
# || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \
# To disable auto-detection of XML HTTP request altogether and uncondtionally return "auth" for all clients:
# OIDCUnAuthAction auth true
# Note that actually *any* expression value in "OIDCUnAuthAction auth <expr>" will *always* render "auth"
# (even when set to "false"...) because of the default, so using an <expr> value (other than "true") only
# makes sense in combination with one of the values other than "auth".
#OIDCUnAuthAction [auth|pass|401|407|410] [<expression-to-detect-non-auth-request>]
# Defines the action to be taken when an unauthorized request is made i.e. the user is authenticated but
# does not meet the `Require claim <>` directives or similar.
# "401" return HTTP 401 Unauthorized with optional text message if specified in <argument>
# "403" return HTTP 403 Forbidden with optional text message; NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive!
# "302" redirect to the URL specified in the <argument> parameter
# "auth" redirect the user to the OpenID Connect Provider or Discovery page for authentication (<argument> is unused)
# Useful in Location/Directory/Proxy path contexts that need to do stepup authentication
# Be aware that this will only work in combination with a single Require statement or RequireAll,
# so using RequireAny and multiple Require statements is not supported.
# Also for "auth", the expression argument for OIDCUnAuthAction is re-used here to detect XHR requests.
# When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on"
#OIDCUnAutzAction [401|403|302|auth] [<argument>]
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
# This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
# It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data.
# Preservation is done via HTML 5 session storage: note that this can lead to private data exposure on shared terminals.
# The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis.
#OIDCPreservePost [On|Off]
# POST preserve and restore templates to be used with OIDCPreservePost
# <preserve> template needs to contain two "%s" characters
# the first for the JSON formattted POST data, the second for the URL to redirect to after preserving
# <restore> template needs to contain one "%s"
# which contains the (original) URL to POST the restored data to
# The default is to use internal templates
#OIDCPreservePostTemplates <preserve-template-filepath> <restore-template-filepath>
# Indicates whether the access token and access token expires will be passed to the application in a header/environment variable, according
# to the OIDCPassClaimsAs directive.
# Can be configured on a per Directory/Location basis. The default is "On".
#OIDCPassAccessToken [On|Off]
#
# Indicates whether the refresh token will be passed to the application in a header/environment variable, according