apache2 authorization reverse-proxy openid-connect mod-auth-openidc

Apache2 Reverse Proxy with authentication over OpenID Connect and authorization over ldap

I'm trying to setup a reverse proxy that requires authentication against an OpenID Connect Identity Provider.

The User then grants the reverse proxy access to his data.

Some applications behind the proxy are only accessible by the user if he is the member of specific LDAP groups. Sadly the applications are the dump and cannot authorize themselves, so the reverse proxy must handle that part.

It wasn't so hard to setup the authentication part with mod_auth_openidc. What I struggle with is the authorization part. I have a working example with mod_authnz_ldap that requires username and password over BasicAuth.

The idea with OpenID Connect is that Resource Server (the proxy in my case) will never know the user's password and does not have to check it. That is delegated to the OpenID Connect Identity Provider.

So I don't have the password needed for this approach. My idea was to create a virtual host with oidc auth that refuses some header like x-my-oidc-username from clients, sets this header once authenticated and passes the request to another vhost binding on 127.0.0.1 so it cannot be accessed directly bypassing authentication. That vhost just takes the header as the authenticated username and runs the LDAP authorization.

I haven't seen a way to just skip the Authentication Phase of the ldap module and take the username from somewhere else like the OpenID Connect ID Token or from my custom header.

Any ideas/suggestions/approaches/tips?

Solution

There's an article that shows how to combine mod_auth_openidc and mod_authnz_ldap here: https://github.com/pingidentity/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap:

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCRedirectURI http://example.com/example/redirect_uri
OIDCScope "openid email profile"

# Set REMOTE_USER to the email address.
# this is the value that mod_authnz_ldap leverages as the first parameter after basedn. 
# in the example below, REMOTE_USER = email = mail attribute in LDAP.

OIDCRemoteUserClaim email
<Location /example/>
  AuthType openid-connect
  AuthLDAPURL "ldap://example.com/ou=people,dc=example,dc=com?mail?sub?(objectClass=*)"
  AuthLDAPGroupAttribute member
  Require ldap-group cn=myTestAccesss,ou=Groups,dc=example,dc=com
</Location>