OIDC RP

From GFIPM Implementation Wiki
Revision as of 14:30, 19 June 2018 by Jeff.Krug (Talk | contribs)

Jump to: navigation, search

About

This page is a brief introduction to deploying an Open ID Connect RP with mod_auth_openidc. There are many, many ways to do this as there are numerous libraries that support it. Additionally there are OIDC Client RPs that run on a mobile device or in a browser that would function a bit differently (as they wouldn't have a credential issued by the OIDC Provider).

Deploying

For the NIEF Testbed mod_auth_openidc offered the best option for deploying an OIDC RP as it operates as an Apache httpd module (with a somewhat similar integration method as the Shibboleth SP). This httpd module was developed by Ping Identity and is available for free here: https://github.com/zmartzone/mod_auth_openidc.

The github repository includes numerous sample configurations that can provide guidance on how to configure it for your environment and needs.

NIEF Testbed Sample

A sample config from the NIEF Testbed is provided as well as it includes a couple minor things not found elsewhere (specifically requesting the NIEF scope from an OIDC Provider): 

  OIDCProviderMetadataURL https://openid.nief.org/oidc/.well-known/openid-configuration
  OIDCScope "profile openid email nief"
  OIDCClientID  [Generated by OIDC Provider]
  OIDCClientSecret [Generated by OIDC Provider]
  OIDCRedirectURI https://testsp.nief.org/oidctest/claims_consumer
  OIDCCryptoPassphrase [Any random string used locally for session management]
  <Location /oidctest/>
      AuthType openid-connect
      Require claim "sub~\w"
  </Location>
Retrieved from "https://impl.gfipm.net/mwiki/index.php?title=OIDC_RP&oldid=1271"