Is it possible in mod_auth_openidc to do the equivalent of a prompt=none attempt to access a protected website using credentials from an already logged in user but falling back to allowing unauthenticated access if not?
I run a website which is accessible to the public without any authentication, but also provides additional optional features for those logged in. I'd like to use mod_auth_openidc to allow users to login, but if I protect my pages with the module, it forces login before accessing the page ( as you'd expect ) and if I don't protect my pages then I can't see the OIDC variables even if I was already logged in.
So you'd go to the website and see the home page. On that page is a login button. When you log in, you are still on the home page, but now you see extra stuff (like a personalised welcome message ).
The only solution I have so far is to make my entire site available at two different urls, one protected by openidc, and one not. When you login you are redirected to the other site. But this potentially confuses users and indeed server side software which expects a baseURL to be configured.
I can implement this easily enough in other ways, but I can't find a solution based on the mod_auth_openidc module.
I tried this:
<Location /example/public>
AuthType openid-connect
</Location>
<Location /example/protected/>
AuthType openid-connect
Require valid-user
</Location>
What I was hoping would happen was that going to /example/protected would require me to login ( which it does ), and that then going back to /example/public would still know I was logged in. But although /example/protected works just fine ( so my basic setup is correct ), /example/public doesn't work at all - there are no variables set, so I still appear not logged-in.
Is there perhaps a Require option which would do what I want, or some other clean answer?
You need to use OIDCUnAuthAction pass, see: https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.15/auth_openidc.conf#L896
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "410" means that HTTP 410 Gone is returned
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
# When not defined the default "auth" is used.
#OIDCUnAuthAction [auth|pass|401|410]