apachesingle-sign-ongoogle-appsmod-auth-openidc

How to authenticate domains on apache with google apps


I want to authenticate some of my company's internal websites with Google Apps. We have been using openid based apache module mod_auth_openid and since it got deprecated recently I started looking for alternatives and have found mod_auth_openidc. But I couldn't really get it to work as I didn't understand most parts of it (I have even tried to follow some articles (article1, article2) but that didn't help as it was not clear to me).

Is there any other solution/article that can help me do this?


Solution

  • The first example in the README.md here: https://github.com/pingidentity/mod_auth_openidc/blob/master/README.md gives a good starting point:

    OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
    OIDCClientID <your-client-id-administered-through-the-google-api-console>
    OIDCClientSecret <your-client-secret-administered-through-the-google-api-console>
    
    OIDCRedirectURI https://www.example.com/example/redirect_uri
    OIDCCryptoPassphrase <password>
    
    OIDCScope "openid email profile"
    
    <Location /example/>
        AuthType openid-connect
        Require valid-user
        Require claim hd:<your-domain>
    </Location>
    

    Plain http will work, trailing slashes will work (if used consistently as in the example), no certificate needed just a fully qualified domain name, Debian packages work on Ubuntu 14.04.

    The articles that you mention show also how to configure the Google side of things.