diff --git a/roles/apache_openidc/tasks/main.yml b/roles/apache_openidc/tasks/main.yml deleted file mode 100644 index b49b67b..0000000 --- a/roles/apache_openidc/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Enable testing repository - lineinfile: - path: /etc/apk/repositories - line: "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" - -- name: Create config file - template: - src: mod-auth-openidc.conf - dest: /etc/apache2/conf.d/mod-auth-openidc.conf - -- name: Install Apache OIDC module - apk: - name: apache-mod-auth-openidc@testing - state: latest - update_cache: true - diff --git a/roles/apache_openidc/templates/mod-auth-openidc.conf b/roles/apache_openidc/templates/mod-auth-openidc.conf deleted file mode 100644 index a68922f..0000000 --- a/roles/apache_openidc/templates/mod-auth-openidc.conf +++ /dev/null @@ -1,1174 +0,0 @@ -LoadModule auth_openidc_module modules/mod_auth_openidc.so - -######################################################################################## -# -# Common Settings -# -######################################################################################## - -# (Mandatory) -# The redirect_uri for this OpenID Connect client; this is a vanity URL -# that must ONLY point to a path on your server protected by this module -# but it must NOT point to any actual content that needs to be served. -# You can use a relative URL like /protected/redirect_uri if you want to -# support multiple vhosts that belong to the same security domain in a dynamic way -#OIDCRedirectURI https://www.example.com/protected/redirect_uri - -OIDCRedirectURI https://{{dns_name}}/redirect_uri -# (Mandatory) -# Set a password for crypto purposes, this is used for: -# - encryption of the (temporary) state cookie -# - encryption of cache entries, that may include the session cookie, see: OIDCCacheEncrypt and OIDCSessionType -# Note that an encrypted cache mechanism can be shared between servers if they use the same OIDCCryptoPassphrase -# If the value begins with exec: the resulting command will be executed and the -# first line returned to standard output by the program will be used as the password, e.g.: -# OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\"" -# (notice that the above typically only works in non-clustered environments) -# The command may be absolute or relative to the web server root. -# -# A second value can be used temporarily in case of passphrase rollover: the first (i.e. new) passphrase -# will be used for encryption of new values (including a "kid" in the JWEs during the time 2 values are defined), -# both values will be used for verification (leveraging the "kid" if present); for seamless rollover one should -# (at minimum) wait for OIDCSessionInActivityTimeout seconds before removing the 2nd (i.e. old) passprase again. -#OIDCCryptoPassphrase [ | "exec:/path/to/otherProgram arg1" ] [ | "exec:/path/to/otherProgram arg2" ] -OIDCCryptoPassphrase "exec:/bin/sh -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\"" -# -# All other entries below this are optional though some may be required in a -# particular setup e.g. OAuth 2.0 Resource Server vs. OpenID Connect Relying Party -# - -# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client -# Registration and account-based OP Discovery. -# Specifies the directory that holds metadata files (must be writable for the Apache process/user). -# When not specified, it is assumed that we use a single statically configured provider as -# described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL. -#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata - -######################################################################################## -# -# OpenID Connect Provider -# -# For configuration of a single static provider, not using OpenID Connect Provider Discovery. -# -######################################################################################## - -# URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration) -# The obtained metadata will be cached and refreshed every 24 hours. -# If set, individual entries below will not have to be configured but can be used to add -# extra entries/endpoints to settings obtained from the metadata. -# If OIDCProviderMetadataURL is not set, the entries below it will have to be configured for a single -# static OP configuration or OIDCMetadataDir will have to be set for configuration of multiple OPs. -#OIDCProviderMetadataURL -OIDCProviderMetadataURL {{ password.oidc_server }} - -# OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or https://accounts.google.com) -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderIssuer - -# OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2) -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderAuthorizationEndpoint - -# OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS) -# i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set jwks_uri. -#OIDCProviderJwksUri - -# OpenID Connect Provider Signed JWKS URL (e.g. https://localhost:9031/pf/JWKS) followed by the verification key set -# formatted as either JWK or JWKS. The verification key set is used to verify the provided JWKs value. -# Specifying multiple keys allows the OP rotate the key used for signing the JWKs. -# I.e. this is the URL on which the ID Token signing keys for this OP are hosted, in verifiable JWT formatting -# rather than relying on TLS for authentication and integrity protection. -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set signed_jwks_uri. -# When defined it takes precedence over OIDCProviderJwksUri -# Examples: -# OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}" -# OIDCProviderSignedJwksUri https://localhost:9031/pf/JWKS "{\"keys\":[{\"kty\":\"oct\", \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}]}" -# NB: for multi-OP setups: -# the 1st parameter is not used, it needs to be set anyhow (e.g. to "") if you wish to use the 2nd parameter -# the 2nd parameter is the default verification JWK for content pulled from the signed_jwks_uri for all providers and -# and its can be overridden with a per-provider key in the .conf file using the key: signed_jwks_uri_key -#OIDCProviderSignedJwksUri [ | ] - -# The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public -# keys that can be used for ID Token verification. -# NB: this is one or more key tuples where a key tuple consists of: -# ["sig:"|"enc:"][#] -# and the key identifier part is required when the ID Token contains a "kid" in its header. -# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. -# When not defined, ID Token validation key material has to be obtained through OIDCProviderJwksUri or OIDCProviderMetadataURL -#OIDCProviderVerifyCertFiles (["sig:"|"enc:"][#])+ - -# OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2) -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderTokenEndpoint - -# Authentication method for the OpenID Connect Provider Token Endpoint. -# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set before this directive is applied. -# When not defined the default method from the specification is used, i.e. "client_secret_basic". -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -# NB: this can be overridden for dynamic client registration on a per-OP basis in the .conf file using the key: token_endpoint_auth -#OIDCProviderTokenEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | none ] - -# Extra parameters that need to be passed in the POST request to the Token Endpoint. -# Parameter names and values need to be provided in URL-encoded form. -# When not defined no extra parameters will be passed. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params -#OIDCProviderTokenEndpointParams =[&=]* - -# OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid) -# When not defined no claims will be resolved from such endpoint. -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderUserInfoEndpoint - -# OpenID OP Check Session iFrame URL, for Session Management purposes. -# When not defined, no Session Management will be applied. -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderCheckSessionIFrame - -# OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes. -# When not defined, no logout to the OP will be performed. -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderEndSessionEndpoint - -# Extra parameters that will be sent along with the Logout Request. -# These must be URL-query-encoded as in: "client_id=myclient&prompt=none". -# This is used against a statically configured (single) OP or serves as the default for discovered OPs. -# The default is to not add extra parameters. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: logout_request_params -#OIDCLogoutRequestParams - -# The RFC 7009 Token Revocation Endpoint URL. -# When defined, the refresh token and access token stored in an OIDC session will be revoked on logout. -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderRevocationEndpoint - -# The RFC 9126 Pushed Authorization Request endpoint URL. -# When not defined, PAR cannot be used to send authentication requests, see also OIDCProviderAuthRequestMethod -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderPushedAuthorizationRequestEndpoint - -# Define whether the OP supports OpenID Connect Back Channel Logout. -# According to: https://openid.net/specs/openid-connect-backchannel-1_0.html -# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it. -#OIDCProviderBackChannelLogoutSupported [On|Off] - -# Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint. -# This setting serves as a default value for multiple OPs only. -# Parameter names and values need to be provided in JSON form and will be merged in to the request. -# When not defined no extra parameters will be passed. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_json -#OIDCProviderRegistrationEndpointJson - -# Define the OpenID Connect scope that is requested from the OP (e.g. "openid email profile"). -# When not defined, the bare minimal scope "openid" is used. -# NB: multiple scope values must be enclosed in a single pair of double quotes -# NB: this can be overridden on a per-OP basis in the .conf file using the key: scope -#OIDCScope "" - -# Extra parameters that will be sent along with the Authorization Request. -# These must be URL-query-encoded as in: "display=popup&prompt=consent" or -# specific for Google's implementation: "approval_prompt=force". -# This is used against a statically configured (single) OP or serves as the default for discovered OPs. -# As an alternative to this option, one may choose to add the parameters as -# part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint" -# in the .provider metadata (though that would not work with Discovery OPs). -# -# One can pass on query parameters from the request to the authorization request by adding -# e.g. "foo=#" which will dynamically pull in the query parameter value from the -# request query parameter and add it to the authentication request to the OP. -# -# The default is to not add extra parameters. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params -#OIDCAuthRequestParams - -# Require a valid SSL server certificate when communicating with the OP. -# (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint) -# When not defined, the default value is "On". -# NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server -#OIDCSSLValidateServer [On|Off] - -# Sets the path to the CA bundle to be used by cURL -# When not defined, the default bundle for libcurl is used as provided by the platform. -#OIDCCABundlePath - -# Require configured issuer to match the issuer returned in id_token. -# (Disable to support Microsoft Entra ID / Azure AD multi-tenant applications.) -# When not defined, the default value is "On". -#OIDCValidateIssuer [On|Off] - -# The refresh interval in seconds for the claims obtained from the userinfo endpoint -# When not defined the claims are retrieved only once, at session creation time. -# If refreshing fails, it is assumed that the access token is expired and an attempt will be made -# to refresh the access token using the refresh token grant, after which a second attempt is made -# to obtain claims from the userinfo endpoint with the new access token. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_refresh_interval -# The optional logout_on_error flag will make the user logout the current local session if the userinfo request fails. -# The optional authenticate_on_error flag sends the user for authentication when the userinfo request fails. -#OIDCUserInfoRefreshInterval [ logout_on_error | authenticate_on_error | 502_on_error ] - -# The refresh interval in seconds for the JWKs key set obtained from the jwks_uri and signed_jwks_uri. -# When not defined the default is 3600 seconds. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval -# NB: this refresh interval is shared with OIDCOAuthVerifyJwksUri -#OIDCJWKSRefreshInterval - -# Defines the way in which the access token will be presented to the userinfo endpoint -# "authz_header" means that the token will be presented in an "Authorization: Bearer" header using HTTP GET -# "post_param" means that the token will be presented a form-encoded POST parameter using HTTP POST -# When not defined the default is "authz_header". -# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_token_method -#OIDCUserInfoTokenMethod [authz_header|post_param] - -# Defines the HTTP method used to pass the parameters in the Authentication Request to the Authorization Endpoint. -# "GET" means that the parameters will be passed as query parameters in an HTTP GET -# "POST" means that the parameters will be passed as form-post parameters in an HTTP POST -# "PAR" means that parameters will be sent to the Pushed Authorization Endpoint -# When not defined the default is "GET". -# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_method -#OIDCProviderAuthRequestMethod [ GET | POST | PAR ] -OIDCProviderAuthRequestMethod POST - -# The fully qualified names of the files that contain the PEM-formatted RSA/EC Public key or a X.509 certificates -# that contain the RSA/EC public keys to be used for JWT (OP state/id_token) encryption by the OP. -# One of these keys must correspond to the private keys defined in OIDCPrivateKeyFiles. -# When not defined no encryption will be requested. -# You can also prefix with a JWK key identifier to manually override the automatically -# generated "kid" that will be used for this key in the JWKs derived from this certificate and -# published at OIDCClientJwksUri. -# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. -# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=sign) -#OIDCPublicKeyFiles (["sig:"|"enc:"][#])+ - -# The fully qualified names of the files that contain the PEM-formatted RSA/EC private -# keys that can be used to decrypt content sent to us by the OP. -# These keys must correspond to the public keys defined in OIDCPublicKeyFiles. -# When not defined no decryption will be possible. -# NB: this can be overridden on a per-OP basis in the .conf file using the key "keys" whose value is a JWK set/array (use=enc) -#OIDCPrivateKeyFiles (["sig:"|"enc:"][#])+ - -######################################################################################## -# -# OpenID Connect Client -# -# Settings used by the client in communication with the OpenID Connect Provider(s), -# i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access. -# These settings are used when a single static provider is configured and serve as defaults -# when multiple providers are configured. -# -######################################################################################## - -# The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too) -# When not defined the "code" response type is used. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type -#OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"] - -# The response mode used (this serves as default value for discovered OPs too) -# When not defined the default response mode for the requested flow (OIDCResponseType) is used. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode -#OIDCResponseMode [fragment|query|form_post] - -# Only used for a single static provider has been configured, see below in OpenID Connect Provider. -# Client identifier used in calls to the statically configured OpenID Connect Provider. -#OIDCClientID -OIDCClientID {{ password.oidc_client_id }} -# Only used for a single static provider has been configured, see below in OpenID Connect Provider. -# Client secret used in calls to the statically configured OpenID Connect Provider. -# (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token") -# If the value begins with exec: the resulting command will be executed and the -# first line returned to standard output by the program will be used as the -# secret. The command may be absolute or relative to the web server root. -#OIDCClientSecret [ | "exec:/path/to/otherProgram argument1" ] -OIDCClientSecret {{ password.oidc_client_secret }} -# Filename with the PEM-formatted client certificate used to authenticate the Client in calls to the -# token endpoint of the OAuth 2.0 Authorization server. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_cert -#OIDCClientTokenEndpointCert - -# Filename with the PEM-formatted private key that belongs to the client certificate used to authenticate the -# Client in calls to the token endpoint of the OAuth 2.0 Authorization server. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key -#OIDCClientTokenEndpointKey - -# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the -# Client in calls to the token endpoint of the OAuth 2.0 Authorization server. -# If the value begins with exec: the resulting command will be executed and the -# first line returned to standard output by the program will be used as the password. -# The command may be absolute or relative to the web server root. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_tls_client_key_pwd -#OIDCClientTokenEndpointKeyPassword [ | "exec:/path/to/otherProgram arg1" ] - -# The client name that the client registers in dynamic registration with the OP. -# When not defined, no client name will be sent with the registration request. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name -#OIDCClientName - -# The contacts that the client registers in dynamic registration with the OP. -# Must be formatted as e-mail addresses by specification. -# Single value only; when not defined, no contact e-mail address will be sent with the registration request. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact -#OIDCClientContact - -# The PKCE method used (this serves as default value for multi-provider OPs too) -# When not defined S256 is used. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method -#OIDCPKCEMethod [ S256 | plain | |none ] - -# The DPoP mode used (this serves as default value for multi-provider OPs too) -# off: no DPoP token is requested from the OP -# optional: a DPoP token is requested from the OP but we'll continue even if the returned token is Bearer -# required: a DPoP token is requested from the OP and we'll fail if the returned token type is not DPoP -# When not defined "off" is used. -# To be able to request a DPoP token, OIDCPrivateKeyFiles/OIDCPublicKeyFiles settings require a RSA/EC private signing key. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: dpop_mode -# The 2nd parameter is used to optionally enable an API for creating DPoP proofs on: -# ?dpop=&url=[&method=] -# When not defined "off" is used. -#OIDCDPoPMode [off|optional|required] [on|off] - -# (used only in dynamic client registration) -# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be -# used during client registration to point to the JWK set with public keys for this client. -# If not defined the default ?jwks=rsa will be used, on which a JWK set -# is automatically published based on the OIDCPublicKeyFiles setting so normally you don't -# need to touch this unless this client is on a (test) host that is not reachable from the internet. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri -#OIDCClientJwksUri - -# The algorithm that the OP should use to sign the id_token. -# When not defined the default that the OP should use by spec is RS256. -# (ES??? algorithms only supported when using OpenSSL >= 1.0) -# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg -#OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] - -# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the id_token. -# When not defined the default (by spec) is that the OP does not encrypt the id_token. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg -#OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] - -# The algorithm that the OP should use to encrypt to the id_token with the Content Encryption Key. -# If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. -# When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided. -# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) -# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc -#OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] - -# The accepted value(s) of the "aud" claim in the ID token, restricted to only those values that have been defined here. -# The convenience value "@" can be used to refer to the configured client id (i.e. in case of dynamic client registration). -# When not defined the default is to accept any list of values (or a single string value) that includes value of OIDCClientID. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_aud_values with the value set to a JSON array of strings. -#OIDCIDTokenAudValues + - -# The algorithm that the OP should use to sign the UserInfo response -# When not defined the default (by spec) is that the OP does not sign the response. -# (ES??? algorithms only supported when using OpenSSL >= 1.0) -# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg -#OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512] - -# The algorithm that the OP should use to encrypt the Content Encryption Key that is used to encrypt the UserInfo response. -# When not defined the default (by spec) is that the OP does not encrypt the response. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg -#OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP] - -# The algorithm that the OP should use to encrypt to encrypt the UserInfo response with the Content Encryption Key -# If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256. -# When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided. -# (A256GCM algorithm only supported when using OpenSSL >= 1.0.1) -# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc -#OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A256GCM] - -# The OpenID Connect (client) profile to adhere to, which configures settings for: -# - Authentication Request method -# - DPoP -# - PKCE -# - ID token aud values -# - token endpoint JWT authentication "aud" values, -# - "iss" parameter requirement in authentication reponses -# FAPI20: configures settings for the FAPI 2.0 Security Profile i.e : -# Auth Request Method: PAR, DPoP: Required, PKCE: S256, aud: client_id, aud: iss, iss: true -# OIDC10: adheres to the core OpenID Connect spec v1.0 -# When not default the default is OIDC10 -#OIDCProfile [ OIDC10 | FAPI20 ] - -######################################################################################## -# -# WARNING: -# -# THE OAUTH 2.0 RESOURCE SERVER FUNCTIONALITY IS DEPRECATED NOW AND SUPERSEDED -# BY A SEPARATE MODULE, SEE: https://github.com/OpenIDC/mod_oauth2 -# -# OAuth 2.0 Resource Server Settings -# -# Used when this module functions as a Resource Server against an OAuth 2.0 Authorization -# Server, introspecting/validating bearer Access Tokens. -# -######################################################################################## - -# URL where Authorization Provider Provider metadata can be found (e.g. https://example.com/.well-known/oauth-authorization-server) -# as defined in RFC 8414. The obtained metadata will be cached and refreshed every 24 hours. -# If set, individual entries below will not have to be configured but can be used to add -# extra entries/endpoints to settings obtained from the metadata. -# If OIDCOAuthServerMetadataURL is not set, the endpoint entries below it will have to be configured. -#OIDCOAuthServerMetadataURL - -# (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation) -# OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2) -#OIDCOAuthIntrospectionEndpoint - -# Client identifier used in token introspection calls to the OAuth 2.0 Authorization server. -#OIDCOAuthClientID - -# Client secret used in token introspection calls to the OAuth 2.0 Authorization server. -#OIDCOAuthClientSecret - -# Authentication method for the OAuth 2.0 Authorization Server introspection endpoint, -# Used to authenticate the client to the introspection endpoint e.g. with a client_id/client_secret -# when OIDCOAuthClientID and OIDCOAuthClientSecret have been set and "client_secret_basic" or "client_secret_post" -# has been configured. -# When "private_key_jwt" is used, OIDCPrivateKeyFiles and OIDCPublicKeyFiles must have been set. -# When not defined "client_secret_basic" is used. -#OIDCOAuthIntrospectionEndpointAuth [ client_secret_basic | client_secret_post | client_secret_jwt | private_key_jwt | bearer_access_token | none ] - -# Used when "OIDCOAuthIntrospectionEndpointAuth bearer_access_token" is configured. -# Specifies a static token to be used for authorizing the call to the introspection endpoint. -# If empty, the introspected token will be used for authorization as well. -#OIDCOAuthIntrospectionClientAuthBearerToken [ a-static-bearer-token | ] - -# Filename that contains the PEM-formatted client certificate used to authenticate the -# caller in token introspection calls to the OAuth 2.0 Authorization server. -#OIDCOAuthIntrospectionEndpointCert - -# Filename that contains the PEM-formatted private key that belongs to the client certificate used -# to authenticate the caller in token introspection calls to the OAuth 2.0 Authorization server. -#OIDCOAuthIntrospectionEndpointKey - -# Password for the PEM-formatted private key that belongs to the client certificate used to authenticate the -# Client in calls to the token introspection endpoint of the OAuth 2.0 Authorization server. -# If the value begins with exec: the resulting command will be executed and the -# first line returned to standard output by the program will be used as the password. -# The command may be absolute or relative to the web server root. -#OIDCOAuthIntrospectionEndpointKeyPassword [ | "exec:/path/to/otherProgram arg1" ] - -# Define the HTTP method to use for the introspection call. Must be GET or POST. -# When not defined the default is POST. -#OIDCOAuthIntrospectionEndpointMethod [POST|GET] - -# Extra parameters that need to be passed in the POST request to the Introspection Endpoint. -# Parameter names and values need to be provided in URL-encoded form. -# When not defined no extra parameters will be passed. -#OIDCOAuthIntrospectionEndpointParams =[&=]* - -# Name of the parameter whose value carries the access token value in a validation request to the token introspection endpoint. -# When not defined the default "token" is used. -#OIDCOAuthIntrospectionTokenParamName - -# Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since -# 1970), relative (seconds from now after which the token will expire), and whether it is optional. -# If the claim is optional and not found in the response, the introspection result will not be cached. -# (which means that the overall performance may suffer) -# -# Only applies when the "active" claim is not found in the introspection response, which is interpreted as -# an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom. -# -# When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching -# Google and PingFederate's introspection behavior. -#OIDCOAuthTokenExpiryClaim [absolute|relative] [mandatory|optional] - -# Define the interval in seconds after which a cached and introspected access token needs -# to be refreshed by introspecting (and validating) it again against the Authorization Server. -# (can be configured on a per-path basis) -# When not defined the value is 0, which means it only expires after the `exp` (or alternative, -# see OIDCOAuthTokenExpiryClaim) hint as returned by the Authorization Server. -# When set to -1, caching of the introspection results is disabled and the token will be introspected -# on each request presenting it. -#OIDCOAuthTokenIntrospectionInterval - -# Require a valid SSL server certificate when communicating with the Authorization Server -# on the token introspection endpoint. When not defined, the default value is "On". -#OIDCOAuthSSLValidateServer [On|Off] - -# The symmetric shared key(s) that can be used for local JWT access token validation. -# NB: this is one or more key tuples where a key tuple consists of: -# ["sig:"|"enc:"]plain|b64|hex#[]# -# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. -# When not defined, no access token validation with shared keys will be performed. -# Examples: -# - a plaintext secret and a key identifier (kid) -# plain#1#mysecret -# - a base64 encoded secret, no key identifier provided -# b64##AF515DE== -# - a hex encoded secret, no key identifier provided -# hex##ede012 -#OIDCOAuthVerifySharedKeys (["sig:"|"enc:"]plain|b64|hex#[#])+ - -# The fully qualified names of the files that contain the X.509 certificates with the RSA/EC public -# keys that can be used for local JWT access token verification. -# NB: this is one or more key tuples where a key tuple consists of: -# ["sig:"|"enc:"][#] -# and the key identifier part is required when the JWT access token contains a "kid" in its header. -# Specify the prefix "sig:" or "enc:" to indicate a key is specifically to be used for signing or encryption. -# When not defined, no access token validation with statically configured certificates will be performed. -#OIDCOAuthVerifyCertFiles (["sig:"|"enc:"][#])+ - -# The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens. -# When not defined local validation of JWTs can still be done using statically configured keys, -# by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys. -#OIDCOAuthVerifyJwksUri - -# The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths. -# When not defined the default "sub" is used. -# -# An optional regular expression can be added as a 2nd parameter that will be applied to the -# claim value from the 1st parameter and the first match returned from that expression will -# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ -# -# An optional 3rd parameter can be added that would contain string with number backreferences. -# Backreferences must be in the form $1, $2.. etc. -# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use -# ^(.*)@([^.]+)\..+$ $2\\$1 -#OIDCOAuthRemoteUserClaim [] [substitution-string] - -# Define the way(s) in which bearer OAuth 2.0 access tokens can be passed to this Resource Server. -# Must be one or several of: -# "header" : an "Authorization: bearer" header -# "post" : an HTTP Post parameter called "access_token" -# "query" : as an HTTP query parameter called "access_token" -# "cookie" : as a cookie header called "PA.global" or using the name specified after ":" -# "basic": as a HTTP Basic Auth (RFC2617, section 2) password, with any username -# When not defined the default "header" is used. -#OIDCOAuthAcceptTokenAs [header|post|query|cookie[:|basic]+ - -######################################################################################## -# -# Cookie Settings -# -######################################################################################## - -# Define the cookie path for the "state" and "session" cookies. -# When not defined the default is a server-wide "/". -#OIDCCookiePath - -# Specify the domain for which the "state" and "session" cookies will be set. -# This must match the OIDCRedirectURI and the URL on which you host your protected -# application. Use the literal value of the domain name that will end up in the "Domain" -# attribute value for the Set-Cookie header, no leading dot required. -# Example domain- (instead of default host-)wide cookie: -# OIDCCookieDomain example.org -# When not defined the default is the server hostname that is currently accessed. -#OIDCCookieDomain -OIDCCookieDomain {{ dns_name }} - -# Define the cookie name for the session cookie. -# When not defined the default is "mod_auth_openidc_session". -#OIDCCookie - -# OpenID Connect session cookie chunk size. -# When using "OIDCSessionType client-cookie" the session cookie may become quite large if a lot of session -# data needs to be stored, typically the size depends on the "scopes" of information you request. To work -# around cookie size limitations for most web browsers (usually 4096 bytes), the "client-cookie" will be split -# over a number of "chunked" cookies if the resulting session data is over a certain number of bytes, -# If you want to prevent splitting the session cookie regardless of its size, set the value to 0. -# When not defined the default chunk size is 4000 bytes -#OIDCSessionCookieChunkSize - -# Defines whether the HttpOnly flag will be set on cookies. -# When not defined the default is On. -#OIDCCookieHTTPOnly [On|Off] - -# Defines the SameSite flag that will be set on cookies. -# -# When set to "On" (default) or "Lax" the following will apply: -# session cookie: Lax -# state cookie: Lax -# x_csrf discovery: Lax -# -# When set to "Strict" the following will apply: -# session cookie: Strict (first time: Lax) -# state cookie: Lax -# x_csrf discovery: Strict -# -# When set to "Off" or "None" the following will apply: -# session cookie: None -# state cookie: None -# x_csrf discovery: None -# -# When set to "Disabled" no SameSite flag will be appended. -# -# The configured SameSite cookie appendix on `Set-Cookie` response headers can be -# conditionally overridden using an environment variable in the Apache config as in: -# SetEnvIf User-Agent ".*IOS.*" OIDC_SET_COOKIE_APPEND=; -# -# When not defined the default is On (Lax). -#OIDCCookieSameSite [ On | Off | Strict | Lax | None | Disabled ] - -# Specify the names of cookies to pick up from the browser and send along on backchannel -# calls to the OP and AS endpoints. This can be used for load-balancing purposes. -# When not defined, no such cookies are sent. -#OIDCPassCookies []+ - -# Specify the names of cookies to strip from the incoming request so they are not passed -# on to the target application(s). This may prevent a large set of chunked session cookies to -# be sent to the backend. In that case you'd set it to (when using the default OIDCCookie setting): -# mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1 -# When not defined, no cookies are stripped. -#OIDCStripCookies []+ - -# Specify the maximum number of state cookies, i.e. the maximum number of parallel outstanding -# authentication requests. See: https://github.com/OpenIDC/mod_auth_openidc/issues/331 -# Setting this to 0 means unlimited, until the browser or server gives up which is the -# behavior of mod_auth_openidc < 2.3.8, which did not have this configuration option. -# -# The optional second boolean parameter if the oldest state cookie(s) will be deleted, -# even if still valid; see #399. -# -# When not defined, the default is 7 and "false", thus the oldest cookie(s) will not be deleted. -#OIDCStateMaxNumberOfCookies [false|true] -OIDCStateMaxNumberOfCookies 7 true - -# Define the cookie prefix for the state cookie. -# When not defined the default is "mod_auth_openidc_state_". -#OIDCStateCookiePrefix - -######################################################################################## -# -# Session Settings (only relevant in an OpenID Connect Relying Party setup) -# -######################################################################################## - -# Interval in seconds after which the session will be invalidated when no interaction has occurred. -# When not defined, the default is 300 seconds. -#OIDCSessionInactivityTimeout - -# Maximum duration of the application session -# When not defined the default is 8 hours (3600 * 8 seconds). -# When set to 0, the session duration will be set equal to the expiry time of the ID token. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration -#OIDCSessionMaxDuration - -# OpenID Connect session storage type. -# "server-cache" server-side caching storage. -# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next -# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts -# instead of a session cookie that is tied to the lifetime of the browser session. -# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting. -# A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored -# in the session to be used as id_token_hint in a logout request to the OP later. -# When not defined the default "server-cache" is used. -#OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ] - -# Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary -# cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of: -# a) performance -# 1) since on each subsequent request the primary cache will still be polled and -# failback will happen as soon as the primary cache is available again -# 2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType -# b) security, since nonce's and jti's are not cached, see: OIDCCacheType -# c) (prototype) functionality, since request_uri's won't work anymore -# When not defined the default is "Off". -#OIDCSessionCacheFallbackToCookie [On|Off] - -######################################################################################## -# -# Cache Settings -# -######################################################################################## - -# Cache type, used for temporary storage that is shared across Apache processes/servers for: -# - authenticated user session state -# - nonce values from authorization requests (to prevent replay attacks) -# - validated OAuth 2.0 access tokens -# - refresh tokens during their usage in a refresh token request i.e. refreshing an access token and possible the refresh token itself -# - JWK sets that have been retrieved from jwk_uri's (to validate id_token, logout_token, JWT access_token and JWT userinfo response) -# - resolved OP metadata when using OIDCProviderMetadataUrl and/or OIDCOAuthServerMetadataURL -# - jti values from logout_token when receiving Backchannel Logout requests -# - temporary state associated with Request URI's -# - signed JWTs when using OIDCPassUserInfoAs signed_jwt and environment variable OIDC_USERINFO_SIGNED_JWT_CACHE_TTL -# - JQ filter results when using OIDCFilterClaimsExpr and/or OIDCUserInfoClaimsExpr and/or Require claims_expr -# must be one of \"shm\", \"memcache\", \"file\" or, if Redis/Valkey support is compiled in, \"redis\" -# When not defined, "shm" (shared memory) is used. -#OIDCCacheType [shm|memcache|file[|redis]] - -# Indicate whether data in the cache backend should be encrypted. -# When not defined the default is "Off" for the "shm" backend and "On" for all other cache backends -#OIDCCacheEncrypt [On|Off] - -# When using OIDCCacheType "shm": -# Specifies the maximum number of name/value pair entries that can be cached. -# When caching a large number of entries, the cache size limit may be reached and the -# least recently used entry will be overwritten. If this happens within 1 hour, -# errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased. -# When not specified, a default of 10000 entries is used. -#OIDCCacheShmMax - -# When using OIDCCacheType "shm": -# Specifies the maximum size for a single cache entry in bytes with a minimum of 8736 bytes. -# The value must a multiple of 8 bytes. -# When caching large values such as numbers of attributes in a session or large metadata documents the -# entry size limit may be overrun, in which case errors will be displayed in the error.log -# and the OIDCCacheShmEntrySizeMax value has to be increased. -# When not specified, a default entry size of 16928 bytes (16384 value + 512 key + 32 overhead) is used. -#OIDCCacheShmEntrySizeMax -# (65536 bytes + 512 bytes key + 24 bytes overhead) -OIDCCacheShmEntrySizeMax 66072 - -# When using OIDCCacheType "file": -# Directory that holds cache files; must be writable for the Apache process/user. -# When not specified a system defined temporary directory (/tmp) will be used. -#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache - -# When using OIDCCacheType "file": -# Cache file clean interval in seconds (only triggered on writes). -# When not specified a default of 60 seconds is used. -#OIDCCacheFileCleanInterval - -# Required when using OIDCCacheType "memcache": -# Specifies the memcache servers used for caching as a space separated list of [:] tuples. -#OIDCMemCacheServers "([:])+" - -# Minimum number of connections to each Memcache server per process. Defaults to -# OIDCMemCacheConnectionsHMax. -#OIDCMemCacheConnectionsMin - -# All connections above this limit will be closed if they have been idle for -# more than OIDCMemCacheConnectionsTTL. Defaults to OIDCMemCacheConnectionsHMax. -#OIDCMemCacheConnectionsSMax - -# Maximum number of connections to each Memcache server per process. Defaults to -# ThreadsPerChild or if mod_http2 is loaded to ThreadsPerChild - 1 + H2MaxWorkers. -#OIDCMemCacheConnectionsHMax - -# Maximum time in seconds a connection to a Memcache server can be idle before -# being closed. Defaults to 60 seconds. -# Only for Apache >= 2.4.x: By adding a postfix of ms, the timeout can be also -# set in milliseconds. Defaults to 60 seconds. -#OIDCMemCacheConnectionsTTL - -# Required if Redis/Valkey support is compiled in and when using OIDCCacheType "redis": -# Specifies the Redis/Valkey server used for caching as a [:] tuple. -#OIDCRedisCacheServer [:] - -# Password to be used if the Redis/Valkey server requires authentication: http://redis.io/commands/auth -# When not specified, no authentication is performed. -#OIDCRedisCachePassword - -# Username to be used if the Redis/Valkey server requires authentication: http://redis.io/commands/auth -# NB: this can only be used with Redis/Valkey 6 (ACLs) or later. -# When not specified, the implicit user "default" is used. -#OIDCRedisCacheUsername - -# Logical database to select on the Redis/Valkey server: https://redis.io/commands/select -# When not defined the default database 0 is used. -#OIDCRedisCacheDatabase - -# Timeout (in seconds) for connecting to the Redis/Valkey server. -# An optional 2nd parameter can be supplied to set the keepalive interval (in seconds) on the -# TCP connection to the Redis/Valkey server. 0 disables keepalive. -# NB: the interval setting only works when compiled and running with hiredis >= 1.2.0 -# when compiled and running with hiredis < 1.2.0 any value > 0 will apply the default interval -# When not defined the default connect timeout is 5 seconds and the default hiredis keepalive (15s) is applied. -#OIDCRedisCacheConnectTimeout [0|] - -# Timeout waiting for a response of the Redis/Valkey server after a request was sent. -# When not defined, the default timeout is 5 seconds. -#OIDCRedisCacheTimeout - -######################################################################################## -# -# Advanced Settings -# -######################################################################################## - -# Defines an external OP Discovery page. That page will be called with: -# ?oidc_callback= -# additional parameters may be added, i.e. `target_link_uri`, `x_csrf` and `method`. -# -# An Issuer selection can be passed back to the callback URL as in: -# ?iss=[${issuer}|${domain}|${e-mail-style-account-name}][parameters][&login_hint=][&scopes=][&auth_request_params=] -# where the parameter contains the URL-encoded issuer value of -# the selected Provider, or a URL-encoded account name for OpenID -# Connect Discovery purposes (aka. e-mail style identifier), or a domain name. -# [parameters] contains the additional parameters that were passed in on the discovery request (e.g. target_link_uri=&x_csrf=&method=&scopes=) -# -# When not defined the bare-bones internal OP Discovery page is used. -#OIDCDiscoverURL - -# Defines a default URL to be used in case of 3rd-party-init-SSO when no explicit target_link_uri -# has been provided. The user is also redirected to this URL in case an invalid authorization -# response was received. -# The default is to not redirect the browser to any URL but return an HTTP/HTML error to the user. -#OIDCDefaultURL - -# Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout. -# When not defined and no URL was passed explicitly, a default internal page will be shown. -#OIDCDefaultLoggedOutURL - -# Define the OpenID Connect scope(s) that is requested from the OP (e.g. "admin edit") -# on a per-path basis in addition to the per-provider configured scopes (OIDCScope). -# Multiple scope values must be enclosed in a single pair of double quotes. -# Apache expressions can be used to pass dynamic runtime determined values. -# The default is to not add extra scopes. -#OIDCPathScope "" - -# Extra parameters that will be sent along with the Authorization Request. -# These must be URL-query-encoded as in: "display=popup&prompt=consent". -# This can be configured on a per-path basis across all configured Providers. -# One can pass on query parameters from the request to the authorization request by adding -# e.g. "foo=#" which will dynamically pull in the query parameter value from the -# request query parameter and add it to the authentication request to the OP. -# Apache expressions can be used to pass dynamic runtime determined values. -# The default is to not add extra parameters. -#OIDCPathAuthRequestParams - -# Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token. -# When not defined the default is 600 seconds. -# NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack -#OIDCIDTokenIatSlack - -# The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables. -# This prefix should not be set to "" except when combined with OIDCWhiteListedClaims to maintain a secure setup. -# When not defined, the default "OIDC_CLAIM_" is used. -#OIDCClaimPrefix - -# The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables. -# When not defined the default "," is used. -#OIDCClaimDelimiter - -# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths. -# If the claim name is post-fixed with a \"@\", the claim value will be post-fixed with the -# \"iss\" value (with leading "https://" stripped) to make this value unique across different OPs. -# When not defined the default "sub@" is used. -# -# An optional regular expression can be added as a 2nd parameter that will be applied to the -# resulting value from the 1st parameter and the first match returned from that expression will -# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@ -# -# An optional 3rd parameter can be added that would contain string with number backreferences. -# Backreferences must be in the form $1, $2.. etc. -# E.g. to extract username in the form DOMAIN\userid from e-mail style address you may use -# ^(.*)@([^.]+)\..+$ $2\\$1 -#OIDCRemoteUserClaim [@] [] [substitution-string] -OIDCRemoteUserClaim upn - -# Define the way(s) in which the id_token contents are passed to the application according to OIDCPassClaimsAs. -# Must be one or several of: -# "claims" : the claims in the id_token are passed in individual headers/environment variables -# "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable -# "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable -# Note that when OIDCSessionType client-cookie is set, the id_token itself is not stored in the session/cookie (unless explicitly -# configured to do so) and as such the header for the "serialized" option will not be set. -# Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. -#OIDCPassIDTokenAs [claims|payload|serialized]+ - -# Define the way(s) in which the claims resolved from the userinfo endpoint are passed to the application according to OIDCPassClaimsAs. -# Must be one or several of: -# "claims" : -# the userinfo claims are passed in individual headers/environment variables -# "json[: header/environment variable -# "jwt[: header/environment variable -# "signed_jwt[: header/environment variable -# - requires OIDCPrivateKeyFiles/OIDCPublicKeyFiles set with an RSA key (RS256) or a prime256v1 Elliptic Curve key(s) (ES256), -# the first RSA/EC signing key in the configured list will be used -# - the "expires_in" hint from the access_token is used in the "exp" claim; defaults to 60 seconds if not returned by the OP. -# - caching of the signed JWT - use with care only - can be configured using: -# SetEnvIfExpr true OIDC_USERINFO_SIGNED_JWT_CACHE_TTL= -# or for the duration of the - possibly processed - "exp" claim when set to "0" -# Can be configured on a per Directory/Location basis. When not defined the default "claims" is used.. -#OIDCPassUserInfoAs [claims|json[:]|jwt[:]|signed_jwt[:]]+ - -# Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: process the claims -# returned from the userinfo endpoint with a JQ-based expression before propagating them according -# to OIDCPassUserInfoAs claims|json|signed_jwt (i.e. it does not work for "OIDCPassUserInfoAs jwt") -# -# Overwrite the default (provider) "iss" claim, and delete the default "aud" and "name" claims: -# '. + { iss: "https://myissuer.com" } | del(.aud, .name)' -# Add new claim with a variable value obtained from an Apache expression https://httpd.apache.org/docs/2.4/expr.html: -# (be aware that when used with "OIDCPassUserInfoAs signed_jwt" it results in a cached JWT per-user/per-path) -# '. + { path: "%{REQUEST_URI}" }' -# Keep sub only: -# '{ sub: .sub }' -# Filter out all elements in the "groups" array of strings that contain "DC=Company" : -# '. + { groups: (.groups - (.groups | map(select(contains("DC=Company"))))) }' -# Filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* : -# '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' -# Can be configured on a per Directory/Location basis. When not defined no processing will be applied. -#OIDCUserInfoClaimsExpr - -# Only when compiled in with libjq (https://stedolan.github.io/jq/manual/) support: applies -# a JQ filter to claims in the both the id_token and claims returned from the userinfo endpoint -# before storing them in the session after applying (optional) top-level blacklisting/whitelisting -# with OIDCBlackListedClaims/OIDCWhiteListedClaims, e.g.: -# filter out all elements in the "groups" array of strings that match regular expression ^CN=test-.* -# '. + { groups: (.groups - (.groups | map(select(match("^CN=test-.*"; "g"))))) }' -# whitelist only "name" and "sub" claims: -# '{name, sub}' -# delete "groups", "exp" and "iat" -# 'del(.groups,.exp,.iat)' -# When not defined no processing will be applied and all claims will be stored in the session. -#OIDCFilterClaimsExpr - -# Define the way in which the (processed) claims and tokens are passed to the application environment: -# "none": no claims/tokens are passed -# "environment": claims/tokens are passed as environment variables -# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) -# "both": claims/tokens are passed as both headers as well as environment variables (default) -# -# A second parameter can be specified that defines the encoding applied to all values passed in headers -# and environment variables: -# "latin1" applies ISO-8859-1 encoding: this may result in out of bound characters converted to the "?" character. -# "base64url" applies base64url encoding -# "none" applies no encoding and copies literal values from the claims into the headers/environment variables -# When not defined the default is "both" and "latin1" encoding is applied to the header/environment values. -# -# The access token is passed in OIDC_access_token; the access token expiry is passed in OIDC_access_token_expires. -# The refresh token is only passed in OIDC_refresh_token if enabled for that specific directory/location (see: OIDCPassRefreshToken) -#OIDCPassClaimsAs [none|headers|environment|both] [latin1|base64url|none] -OIDCPassClaimsAs both base64url - -# Specify the HTTP header variable name to set with the name of the authenticated user, -# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim or OIDCOAuthRemoteUserClaim. -# When not defined no such header is added. -# This setting can be configured for both the "openid-connect" and "oauth20" AuthType on -# a server-wide or directory level. -#OIDCAuthNHeader - -# Timeout in seconds for long duration HTTP calls. This defines the maximum duration that a request make take to -# to complete and is used for most requests to remote endpoints/servers. -# The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. -# The optional parameter specifies the number of retry attempts in case of connectivity errors. -# When not defined the default of 30 seconds is used, with a 10 second connect timeout, using 1 retry after -# an interval of 500ms. -#OIDCHTTPTimeoutLong [] [[:]] - -# Timeout in seconds for short duration HTTP calls. This defines the maximum duration that a request may take to -# to complete and is used for Client Registration and OP Discovery requests. -# The optional parameter specifies the connect timeout in seconds, as part of the overall request timeout. -# The optional parameter specifies the number of retry attempts in case of connectivity errors. -# When not defined the default of 5 seconds is used, with a 2 second connect timeout, using 1 retry with -# an interval of 500ms. -#OIDCHTTPTimeoutShort [] [[:]] - -# Time to live in seconds for state parameter, i.e. the interval in which the authorization request -# and the corresponding response need to be processed. When not defined the default of 300 seconds is used. -#OIDCStateTimeout - -# Specify an outgoing proxy for your network. When running on a platform with a recent version of -# libcurl you can also specify the network protocol, see: https://curl.se/libcurl/c/CURLOPT_PROXY.html -# When not defined no outgoing proxy is used. -#OIDCOutgoingProxy [://][:] [:] [basic|digest|negotiate|ntlm|any] - -# Defines the action to be taken when an unauthenticated request is made. -# -# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page. -# "401" means that HTTP 401 Unauthorized is returned. -# "407" means that HTTP 407 Proxy Authentication Required is returned -# "410" means that HTTP 410 Gone is returned -# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already -# -# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access" -# -# When not defined the default is "auth" with auto-detection of requests that would not be able to complete -# an authentication round trip to the OpenID Connect Provider, which would receive a 401. -# The default auto-detection algorithm looks for the "X-Requested-With: XMLHttpRequest" header/value, or -# the presence of a Sec-Fetch-Mode header with a value that is not equal to "navigate", or the presence of -# a Sec-Fetch-Dest header with a value that is not equal to "document" or the absence of -# an "Accept" header with any of the values "text/html" "application/xhtml+xml" or "*/*" -# and returns 401 for such non-auth-capable requests, e.g. XML HTTP Requests, image loading requests etc. -# that would create a state cookie but never return to delete it. -# See: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies#tldr -# -# Only for Apache >= 2.4.x: -# Since version 2.4.4 a boolean Apache expression as the second parameter to specify which requests -# need to match to return the configured value in the first parameter to override the default "auth". -# See also: https://httpd.apache.org/docs/2.4/expr.html. -# E.g. to only return 401 for cURL-based user agents and "auth" for any other browsers/user agents: -# OIDCUnAuthAction 401 "%{HTTP_USER_AGENT} =~ /curl/" -# to effectively override the default XML request detection algorithm by ignoring the Sec-Fetch-Mode, -# Sec-Fetch-Dest and Accept headers: -# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest'" -# to return 401 for all user agents that do not send an Accept header that includes a "text/html" value: -# OIDCUnAuthAction 401 "%{HTTP_ACCEPT} !~ m#text/html#" -# or as a more complex example, which equals the default XML request detection algorithm: -# OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \ -# || ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' ) \ -# || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' ) \ -# || ( ( %{HTTP_ACCEPT} !~ m#text/html# ) \ -# && ( %{HTTP_ACCEPT} !~ m#application/xhtml\+xml# ) \ -# && ( %{HTTP_ACCEPT} !~ m#\*/\*# ) )" -# To enable authentication in an iframe you need to change the Sec-Fetch-Dest part above in: -# || ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'iframe' && %{HTTP:Sec-Fetch-Dest} != 'document') \ -# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth" for all clients: -# OIDCUnAuthAction auth true -# Note that actually *any* expression value in "OIDCUnAuthAction auth " will *always* render "auth" -# (even when set to "false"...) because of the default, so using an value (other than "true") only -# makes sense in combination with one of the values other than "auth". -#OIDCUnAuthAction [auth|pass|401|407|410] [] - -# Defines the action to be taken when an unauthorized request is made, i.e. the user is authenticated but -# does not meet the `Require claim <>` directives or similar. -# "401" return HTTP 401 Unauthorized with optional text message if specified in -# "403" return HTTP 403 Forbidden with optional text message; NB: for Apache 2.4 this is controlled by the AuthzSendForbiddenOnFailure directive! -# "302" redirect to the URL specified in the parameter -# "auth" redirect the user to the OpenID Connect Provider or Discovery page for authentication ( is unused) -# Useful in Location/Directory/Proxy path contexts that need to do step-up authentication -# Be aware that this will only work in combination with a single Require statement or RequireAll, -# so using RequireAny and multiple Require statements is not supported. -# Also for "auth", the expression argument for OIDCUnAuthAction is re-used here to detect XHR requests. -# When not defined the default "403" is used. However Apache 2.4 will change this to 401 unless you set "AuthzSendForbiddenOnFailure on" -#OIDCUnAutzAction [401|403|302|auth] [] - -# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). -# This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form. -# It cannot handle arbitrary payloads for security (DOS) reasons, merely form-encoded user data. -# Preservation is done via HTML 5 session storage: note that this can lead to private data exposure on shared terminals. -# The default is "Off" (for security reasons). Can be configured on a per Directory/Location basis. -#OIDCPreservePost [On|Off] - -# POST preserve and restore templates to be used with OIDCPreservePost -# template needs to contain two "%s" characters -# the first for the JSON formatted POST data, the second for the URL to redirect to after preserving -# template needs to contain one "%s" -# which contains the (original) URL to POST the restored data to -# The default is to use internal templates -#OIDCPreservePostTemplates - -# Indicates whether the access token and access token expiry will be passed to the application in a header/environment variable, according -# to the OIDCPassClaimsAs directive. -# Can be configured on a per Directory/Location basis. The default is "On". -#OIDCPassAccessToken [On|Off] -# -# Indicates whether the refresh token will be passed to the application in a header/environment variable, according -# to the OIDCPassClaimsAs directive. -# Can be configured on a per Directory/Location basis. The default is "Off". -#OIDCPassRefreshToken [On|Off] - -# Request Object/URI settings expressed as a string that is a "double-quote-escaped" JSON object. For example: -# "{ \"copy_from_request\": [ \"claims\", \"response_type\", \"response_mode\", \"login_hint\", \"id_token_hint\", \"nonce\", \"state\", \"redirect_uri\", \"scope\", \"client_id\" ], \"static\": { \"some\": \"value\", \"some_nested\": { \"some_array\": [ 1,2,3] } }, \"crypto\": { \"sign_alg\": \"HS256\", \"crypt_alg\": \"A256KW\", \"crypt_enc\": \"A256CBC-HS512\" }, \"url\": \"https://www.openidc.com/protected/\", \"request_object_type\" : \"request\" }" -# Parameters: -# copy_from_request (array) : array of query parameter names copied from request -# copy_and_remove_from_request (array) : array of parameter names copied from request and removed as query parameter -# static (object) : parameter value is merged to the request object -# ttl (number) : number of seconds before the request object expires (default is 30 seconds) -# translates to the `exp` claim in the request object -# crypto (object) : defines cryptography used to create request object -# sign_alg (string) : algorithm used to sign request object (JWS alg parameter) -# crypt_alg (string) : algorithm used to encrypt CEK of request object (JWE alg parameter) -# crypt_enc (string) : algorithm used to encrypt request object (JWE enc parameter) -# url (string) : use this url instead of redirect_uri for request_uri -# request_object_type (string) : parameter used for sending authorization request object -# "request_uri" (default) or "request" -# NB: this can be overridden on a per-OP basis in the .conf file using the key: request_object -#OIDCRequestObject - -# Provider metadata refresh interval for the metadata in a multi-provider setup (with OIDCMetadataDir). -# When not defined the default is 0 seconds, i.e. it is never refreshed. -# Also used in a single provider setup with OIDCProviderMetadatURL but 0 then means the default of 1 day. -#OIDCProviderMetadataRefreshInterval - -# Define the data that will be returned upon calling the info hook. -# The data can be JSON formatted using ?info=json, or HTML formatted, using ?info=html. -# iat (int) : Unix timestamp indicating when this data was created -# access_token (string) : the access token -# access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP) -# id_token (object) : the claims presented in the ID token -# id_token_hint (string) : the serialized ID token -# userinfo (object) : the claims resolved from the UserInfo endpoint -# refresh_token (string) : the refresh token (if returned by the OP) -# exp (int) : the maximum session lifetime (Unix timestamp in seconds) -# timeout (int) : the session inactivity timeout (Unix timestamp in seconds) -# remote_user (string) : the remote user name -# session (object) : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object -# Note that when using "ProxyPass /" you may have to add a proxy exception for the Redirect URI -# for this to work, e.g. "ProxyPass /redirect_uri !" -# When not defined the session hook will not return any data but a HTTP 404. -#OIDCInfoHook [iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session]+ - -# Specify metrics that you wish to collect and keep in shared memory for retrieval. -# Supported metrics classes are: -# authtype Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc. -# authn Authentication request creation and response processing. -# authz Authorization errors per OIDCUnAutzAction (per Require statement, not overall). -# require.claim Match/failure count of Require claim directives (per Require statement, not overall). -# claim.* ID token / Userinfo claim name/value at login and refresh. -# provider Requests to the provider [token, userinfo, metadata] endpoints. -# session Existing session processing. -# cache Cache read/write timings and errors. -# redirect_uri Requests to the Redirect URI, per type. -# content Requests to the content handler, per type of request: info, metrics, jwks, etc. -# When not defined no metrics will be recorded. -#OIDCMetricsData [ authtype | authn | authz | require.claim | claim.id_token.* | claim.userinfo.* | requests | session | cache | redirect_uri | content ]+ - -# Specify the path where metrics are published and can be consumed. -# The format parameter can be passed to specify the format in which the collected data is returned. -# format=prometheus Prometheus text-based exporter -# format=json (non-standard) JSON with descriptions and names -# format=status short text-based status message "OK" plus optional counter (&vhost=&counter=) -# format=internal internal terse JSON for debugging purposes -# The default is "prometheus". -# Protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port. -# When not defined, no metrics will be published on the enclosing vhost. -#OIDCMetricsPublish - -# Set a traceparent HTTP header on outgoing requests to the provider and proxied requests. -# propagate: propagate any existing traceparent header on requests to the Provider (it's proxied as it is) -# generate: generate a traceparent header, possibly overwriting an existing one -# The default is "off": do not propagate, add (or overwrite) a traceparent header. -#OIDCTraceParent off | generate | propagate - -# Specify claims that should be removed from the userinfo and/or id_token before storing them in the session. -# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims -# When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used. -#OIDCBlackListedClaims []+ - -# Specify claims from the userinfo and/or id_token that should be stored in the session (all other claims will be discarded). -# Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims -# When not defined no claims are whitelisted and all claims are stored except when blacklisted with OIDCBlackListedClaims. -#OIDCWhiteListedClaims []+ - -# Specify the minimum time-to-live for the access token stored in the OIDC session. -# When the access token expiry timestamp (at least the hint given to that) is less than this value, -# an attempt will be made to refresh the access token using the refresh token grant type towards the OP. -# This only has an effect if a refresh token was actually returned from the OP and an "expires_in" hint -# was returned as part of the authorization response and subsequent refresh token responses. -# When not defined no attempt is made to refresh the access token (unless implicitly through OIDCUserInfoRefreshInterval) -# The optional logout_on_error flag makes the refresh logout the current local session if the refresh fails. -# The optional authenticate_on_error flag sends the user for authentication when the refresh fails. -#OIDCRefreshAccessTokenBeforeExpiry [logout_on_error | authenticate_on_error | 502_on_error] - -# Defines which headers will be used as the "state" input for calculating the fingerprint of the browser -# during authentication. When not defined the default "user-agent" is used. -#OIDCStateInputHeaders [user-agent|x-forwarded-for|both|none] - -# Define one or more regular expressions that specify URLs (or domains) allowed for post logout and -# other redirects such as the "return_to" value on refresh token requests, the "login_uri" value -# on session management-based logins through the OP iframe, and the "target_link_uri" parameter in -# 3rd-party initiated logins, e.g.: -# OIDCRedirectURLsAllowed ^https://www\.example\.com ^https://(\w+)\.example\.org ^https://example\.net/app -# or: -# OIDCRedirectURLsAllowed ^https://www\.example\.com/logout$ ^https://www\.example\.com/app/return_to$ -# When not defined, the default is to match the hostname in the URL redirected to against -# the hostname in the current request. -#OIDCRedirectURLsAllowed []+ - -# Defines the value of the X-Frame-Options header returned on OIDC front-channel logout requests. -# See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options. -# For example: -# OIDCLogoutXFrameOptions: sameorigin -# or: -# OIDCLogoutXFrameOptions: allow-from https://provider.example.com/ -# When not defined the default is "DENY". -#OIDCLogoutXFrameOptions - -# Define the X-Forwarded-* or Forwarded headers that will be considered as set by a reverse proxy -# in front of mod_auth_openidc. Must be one or more of: -# X-Forwarded-Host -# X-Forwarded-Port -# X-Forwarded-Proto -# Forwarded -# none -# When not defined or "none", such headers will be ignored. -#OIDCXForwardedHeaders
+ diff --git a/roles/apache_php/tasks/main.yml b/roles/apache_php/tasks/main.yml deleted file mode 100644 index 7819e81..0000000 --- a/roles/apache_php/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: Install standard expected packages - package: - name: acl,php,php-apache2,php-session,php-iconv - -- name: Get installed packages - package_facts: - -- name: Set PHP version - set_fact: - php_version: "{{ ansible_facts.packages | select('match', '^php[0-9]+$') | first | replace('php', '') }}" - -- name: Set PHP settings - lineinfile: - path: '/etc/php{{ php_version }}/php.ini' - regexp: '^{{ item.key }}\s*=' - line: '{{ item.key }} = {{ item.value }}' - loop: - - key: upload_max_filesize - value: 200M - diff --git a/roles/reverse_proxy/README.md b/roles/reverse_proxy/README.md deleted file mode 100644 index ab83b7a..0000000 --- a/roles/reverse_proxy/README.md +++ /dev/null @@ -1,5 +0,0 @@ -Set up a basic nginx reverse proxy. - -NetBox config context should contain a proxy_pass property with the server address. - -Custom error page can be placed in /srv/http/error/index.html. diff --git a/roles/reverse_proxy/meta/main.yml b/roles/reverse_proxy/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/reverse_proxy/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/reverse_proxy/tasks/main.yml b/roles/reverse_proxy/tasks/main.yml deleted file mode 100644 index 8cbf5ce..0000000 --- a/roles/reverse_proxy/tasks/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Set up nginx site - template: - dest: '/etc/nginx/http.d/{{ inventory_hostname }}.conf' - src: 'nginx.conf.j2' - notify: reload nginx diff --git a/roles/reverse_proxy/templates/nginx.conf.j2 b/roles/reverse_proxy/templates/nginx.conf.j2 deleted file mode 100644 index 357247b..0000000 --- a/roles/reverse_proxy/templates/nginx.conf.j2 +++ /dev/null @@ -1,31 +0,0 @@ -server { - server_name {{ ([dns_name] + tls_domains|default([])) | join(" ") }}; - - listen [::]:443 ssl ipv6only=off; - ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem; - - error_page 500 501 502 503 504 505 506 507 508 510 511 /error/; - - location / { - proxy_pass {{ proxy_pass }}; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - - proxy_connect_timeout 30s; - proxy_read_timeout 800s; - proxy_request_buffering off; - proxy_max_temp_file_size 0; - client_max_body_size 200M; - - # TODO maybe - #proxy_ssl_verify on; - #proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - } - - location /error/ { - root /srv/http; - try_files $uri $uri/index.html =503; - } -}