OIDC RP
About
This page is a brief introduction to deploying an Open ID Connect RP with mod_auth_openidc. There are many, many ways to do this as there are numerous libraries that support it. Additionally there are OIDC Client RPs that run on a mobile device or in a browser that would function a bit differently (as they wouldn't have a credential issued by the OIDC Provider).
Deploying
For the NIEF Testbed mod_auth_openidc offered the best option for deploying an OIDC RP as it operates as an Apache httpd module (with a somewhat similar integration method as the Shibboleth SP). This httpd module was developed by Ping Identity and is available for free here: https://github.com/zmartzone/mod_auth_openidc.
The github repository includes numerous sample configurations that can provide guidance on how to configure it for your environment and needs.
NIEF Testbed Sample
A sample config from the NIEF Testbed is provided as well as it includes a couple minor things not found elsewhere (specifically requesting the NIEF scope from an OIDC Provider):
OIDCProviderMetadataURL https://openid.nief.org/oidc/.well-known/openid-configuration OIDCScope "profile openid email nief" OIDCClientID [Generated by OIDC Provider] OIDCClientSecret [Generated by OIDC Provider] OIDCRedirectURI https://testsp.nief.org/oidctest/claims_consumer OIDCCryptoPassphrase [Any random string used locally for session management] <Location /oidctest/> AuthType openid-connect Require claim "sub~\w" </Location>