Skip to content

Commit

Permalink
Improve howto for remote user
Browse files Browse the repository at this point in the history
  • Loading branch information
hmpf committed Nov 2, 2023
1 parent e297772 commit b157af0
Showing 1 changed file with 82 additions and 21 deletions.
103 changes: 82 additions & 21 deletions doc/howto/mod_auth_openidc_feide.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,55 @@
Authenticating with the apache plugin `mod_auth_openidc <https://github.com/zmartzone/mod_auth_openidc>`_ and Feide
===================================================================================================================

Enabling the plugin on Debian
=============================

First check if the plugin is already installed and enabled::

$ sudo apache2ctl -M | grep openid
auth_openidc_module (shared)

If it is, go straight to `Configuration`_.

If not:

Install the plugin::

$ sudo apt install libapache2-mod-auth-openidc

This should create the following files::

/etc/apache2/mods-available/auth_openidc.conf
/etc/apache2/mods-available/auth_openidc.load
/etc/apache2/mods-enabled/auth_openidc.conf
/etc/apache2/mods-enabled/auth_openidc.load

Enable with::

# a2enmod auth_openidc

Disable with::

$ sudo a2dismod auth_openidc

Feide Kundeportal configuration
===============================

You will need to ask somebody with the correct access-rights at `Feide
kundeportal <https://kunde.feide.no>`_ for your organization to create an
OpenID Connect-configuration. Configurations are locked to a specific nav
domain name and user group and cannot be shared. If the domainname is updated
the Feide and Apache2-configurations will need to be updated as well.

The Feide admin will need:

* A name for configuration, we recommend: "NAV: domainname" or "NAV: your organization".
* An url to redirect to after login, this is the domainname followed by
a relative url that is *not served by NAV*. We use ``/oidc`` in this howto.

Apache2 Configuration
=====================

Apache virtual host configuration::

<Location />
Expand Down Expand Up @@ -44,43 +93,55 @@ Apache virtual host configuration::
</Location>

OIDCProviderMetadataURL https://auth.dataporten.no/.well-known/openid-configuration
OIDCClientID XXX
OIDCClientSecret YYY
OIDCRedirectURI ZZZ/oidc/
OIDCClientID SOME-UUID
OIDCClientSecret SOME-OTHER-UUID
OIDCRedirectURI DOMAINNAME/oidc/
OIDCCryptoPassphrase LONGRANDOMSTRING
OIDCOAuthRemoteUserClaim "dataporten-userid_sec"
OIDCOAuthRemoteUserClaim "https://n.feide.no/claims/eduPersonPrincipalName"
OIDCScope "userid userid-feide openid"

Note the first location block, where two lines need be added to what is already
there. This locks down the entire site. We haven't found a way with this plugin
to do it any other way.
Note the first location block (``<Location />``), where two lines need be added
to what is already there. This locks down the entire site. We haven't found
a way with this plugin to do it any other way.

The second location block just needs to be a url that is not in use by
anything else, this is used by the plugin as its edndpoint.
The second location block (``<Location /oidc>``) just needs to be a relative
url that is not in use by anything else, this is used by the plugin as its
endpoint.

The third location block is the url the plugin redirects to after logout.
The third location block (``<Location /index/logout>``) is the url the plugin
redirects to after logout.

The remaining location blocks are either public urls (``/doc``, ``/about``),
parts of NAV that has its own authentication system (``/api``), or must not be
under the control of the plugin for the web frontend to correctly function
(``/refresh_session``).

In the lines that configure the plugin, **XXX** and **YYY** is generated by
`Feide at its dashboard <https://dashboard.dataporten.no>`_. **ZZZ** is the
domain name of the NAV instance, suffixed with the plugin's magic endpoint url.
The entire url needs to be registered at the Feide dashboard as a redirect URI
under *Basic info*. Under *Permissions*, the scopes mentioned under
``OIDCScope`` must be accepted.
**LONGRANDOMSTRING** is a long, random string without whitespace that can be
generated by anything.
```OIDCClientID`` needs to be set to the fixed generated *client id*, while
``OIDCClientSecret`` needs to be set to the changeable ``client secret``. Both
are to be found in `Feide Kundeportal <https://kunde.feide.no>`_.

``OIDCRedirectURI`` is the domain name of the NAV instance, suffixed with the
plugin's magic endpoint url, in this case ``/oidc/``.
This url needs to be registered at the Feide dashboard as a redirect URI
under *Redirect URI after login*.

``OIDCCryptoPassphrase`` is used as a seed and should be kept secret.

``OIDCOAuthRemoteUserClaim`` is what information will be used as the username.

``OIDCScope`` must at minimum contain ``"userid userid-feide openid"``.

NAV configuration
=================

``webfront.conf``::

[remote-user]
enabled = yes
varname = HTTP_OIDC_CLAIM_DATAPORTEN_USERID_SEC
varname = REMOTE_USER
logout-url = /oidc/?logout=
workaround = feide-oidc

"oidc" in the ``logout-url`` is the same url as the ``oidc``-block in the
apache configuration and the redirect URI in the Feide dashboard.
"oidc" in the ``logout-url`` points to the same place as the
``<Location /oidc>``-block in the apache configuration and the redirect URI in
the Feide dashboard.

0 comments on commit b157af0

Please sign in to comment.