Getting started with mod_auth_openidc and Azure

I try to use this guide https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-OAuth-2.0-and-OpenID-Connect to enable authentification on a directory in Apache.

I have a Running site where SSL/PHP and everything else works.

A part of my .conf file for this site looks now like this.

<VirtualHost 123.12.12.12:443>

OIDCProviderMetadataURL https://sts.windows.net/hiddenc123-5ahiddensds-b3f2-sds22/.well-known/open$
OIDCRedirectURI https://mysite.com/test2/

OIDCClientID hidden123123123
OIDCClientSecret Test
OIDCCryptoPassphrase hiddenasdasdasdasd

OIDCScope "openid email"

OIDCRemoteUserClaim email


<Location /var/www/mysite/html/test>
    SSLRequireSSL
    SSLOptions +StdEnvVars

    AuthType openid-connect
    require valid-user


    Options Includes FollowSymLinks
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
</Location>

Then I did service apache2 restart
When I run apachectl configtest I get no error regarding mod_auth_openidc. So I think this module is correctly installed.

But no authentification is enabled on the folder that I would like to protect. Also no error messages appears in webbrowser.

I now have some questions:

I expect an error message when it not works? So it must be something wrong? Or somthing that is not correctly activated?

What is OIDCRedirectURI? Do I need some PHP code for this? Is that not the url that I would like to protect? (https://mysite.com/test2/)

Where can I find app_password for my app in Azure AD? (look attatchment)
Where can I find some_custom_passphrase?
Is that under Keys? (attatchment)

Hopefully some answers here will get me forwards.

Env:
Ubuntu 18.04.2 LTS
Apatche2/mod_auth_openidc/PHP
Office 365 Business with Azure AD
1.png
greenshootsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Try this, just to make sure your module is installed. If your module is installed, you'll see the module name show up...

apachectl -M | grep -i openidc

Open in new window

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Be sure all these match your assigned settings, when you generated these using the Azure Portal...

OIDCClientID [app_id]
OIDCClientSecret [app_password]
OIDCCryptoPassphrase [some_custom_passphrase]

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
greenshootsAuthor Commented:
apachectl -M | grep -i openidc
auth_openidc_module (shared)

Is that ok?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Prabhin MPDevOps EngineerCommented:
the above output shows the module is installed and active,
are you able to see any logs in apache, I mean in both error and access.
You can increase the logging by changing the verbosity of the logs.
Your app_id. This you get when you create a new App in the Azure Portal
Your app_password. You'll get this when you go through setting up the rest of the newly registered App you just created.
greenshootsAuthor Commented:
I did something wrong with those.

OIDCClientID [app_id]
OIDCClientSecret [app_password]
OIDCCryptoPassphrase [some_custom_passphrase]

I found a brilliant Swedish site witch helped me a lot:
https://www.cloudnet.se/blogg/koppla-apache-mot-microsoft-azure-ad-med-mod_openidc/


I also changed from
<Location /var/www/mysite/html/test>
 to
<Location /test2>

That also did the trick.

And also
OIDCRedirectURI https://mysite.com/test2/ 
to
OIDCRedirectURI https://mysite.com/test2


Now it kind of works. But I get some other errors.

In browser i see this:

Error:

OpenID Connect Provider error: Remote user could not be set: contact the website administrator

And in the logfile (I deleted a long link ):
/var/log/apache2/error.log

[Tue Apr 30 17:28:51.249369 2019] [auth_openidc:warn] [pid 43029] [client 11.12.11.2:60032] oidc_get_remote_user: JSON object did not contain a "email" string, referer: https://login.microsoftonli

[Tue Apr 30 17:28:51.249458 2019] [auth_openidc:error] [pid 43029] [client 11.12.11.2:60032] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: https://login.microsoftonl

[Tue Apr 30 17:28:51.249474 2019] [auth_openidc:error] [pid 43029] [client 11.12.11.2:60032] oidc_handle_authorization_response: remote user could not be set, referer: https://login.microsofto

How to dig into this?
greenshootsAuthor Commented:
With those settings it seems to work:

  # The URL you have selected as endpoint
  OIDCRedirectURI https://openid-app.cloudnet.cloud/openid-start-session
  # OIDCCryptoPassphrase can be anything
  OIDCCryptoPassphrase zZZzzZZZaaaa
  # To work with Azure AD
  OIDCResponseType id_token OIDCResponseMode form_post
  # Azure AD connection
  OIDCProviderMetadataURL https://login.microsoftonline.com/anders1arbast.onmicrosoft.com/.well-known/openid-configuration
  OIDCProviderIssuer https://sts.windows.net/e98c0afb-9b00-47a5-b843-2a3e1a36e085/

  # Azure AD app info
  OIDCClientID d2e491bc-fa4f-456f-918a-4b14b004e45e
  OIDCClientSecret aaiaalwj2h3HrhYoIp0bHXazGsRIoWEy7+FY/Ys1dY=
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
The problem showing up in logs is because you have this in your VirtualHost container...

OIDCScope "openid email"

OIDCRemoteUserClaim email

Open in new window


Using the string email will likely never work.

You require a valid email address. Likely an address you check frequently + respond to, if contacted by Microsoft.
greenshootsAuthor Commented:
it works with:

OIDCResponseType id_token
OIDCResponseMode form_post


so if I remove

OIDCScope "openid email"
OIDCRemoteUserClaim email

it works
greenshootsAuthor Commented:
Thanks for the help. Now it works. It helps a lot to speak out :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
authenticaion

From novice to tech pro — start learning today.