Getting started with mod_auth_openidc and Azure

greenshoots
greenshoots used Ask the Experts™
on
I try to use this guide https://github.com/zmartzone/mod_auth_openidc/wiki/Azure-OAuth-2.0-and-OpenID-Connect to enable authentification on a directory in Apache.

I have a Running site where SSL/PHP and everything else works.

A part of my .conf file for this site looks now like this.

<VirtualHost 123.12.12.12:443>

OIDCProviderMetadataURL https://sts.windows.net/hiddenc123-5ahiddensds-b3f2-sds22/.well-known/open$
OIDCRedirectURI https://mysite.com/test2/

OIDCClientID hidden123123123
OIDCClientSecret Test
OIDCCryptoPassphrase hiddenasdasdasdasd

OIDCScope "openid email"

OIDCRemoteUserClaim email


<Location /var/www/mysite/html/test>
    SSLRequireSSL
    SSLOptions +StdEnvVars

    AuthType openid-connect
    require valid-user


    Options Includes FollowSymLinks
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
</Location>

Then I did service apache2 restart
When I run apachectl configtest I get no error regarding mod_auth_openidc. So I think this module is correctly installed.

But no authentification is enabled on the folder that I would like to protect. Also no error messages appears in webbrowser.

I now have some questions:

I expect an error message when it not works? So it must be something wrong? Or somthing that is not correctly activated?

What is OIDCRedirectURI? Do I need some PHP code for this? Is that not the url that I would like to protect? (https://mysite.com/test2/)

Where can I find app_password for my app in Azure AD? (look attatchment)
Where can I find some_custom_passphrase?
Is that under Keys? (attatchment)

Hopefully some answers here will get me forwards.

Env:
Ubuntu 18.04.2 LTS
Apatche2/mod_auth_openidc/PHP
Office 365 Business with Azure AD
1.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Try this, just to make sure your module is installed. If your module is installed, you'll see the module name show up...

apachectl -M | grep -i openidc

Open in new window

Fractional CTO
Distinguished Expert 2018
Commented:
Be sure all these match your assigned settings, when you generated these using the Azure Portal...

OIDCClientID [app_id]
OIDCClientSecret [app_password]
OIDCCryptoPassphrase [some_custom_passphrase]

Open in new window

Author

Commented:
apachectl -M | grep -i openidc
auth_openidc_module (shared)

Is that ok?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
the above output shows the module is installed and active,
are you able to see any logs in apache, I mean in both error and access.
You can increase the logging by changing the verbosity of the logs.
Your app_id. This you get when you create a new App in the Azure Portal
Your app_password. You'll get this when you go through setting up the rest of the newly registered App you just created.

Author

Commented:
I did something wrong with those.

OIDCClientID [app_id]
OIDCClientSecret [app_password]
OIDCCryptoPassphrase [some_custom_passphrase]

I found a brilliant Swedish site witch helped me a lot:
https://www.cloudnet.se/blogg/koppla-apache-mot-microsoft-azure-ad-med-mod_openidc/


I also changed from
<Location /var/www/mysite/html/test>
 to
<Location /test2>

That also did the trick.

And also
OIDCRedirectURI https://mysite.com/test2/ 
to
OIDCRedirectURI https://mysite.com/test2


Now it kind of works. But I get some other errors.

In browser i see this:

Error:

OpenID Connect Provider error: Remote user could not be set: contact the website administrator

And in the logfile (I deleted a long link ):
/var/log/apache2/error.log

[Tue Apr 30 17:28:51.249369 2019] [auth_openidc:warn] [pid 43029] [client 11.12.11.2:60032] oidc_get_remote_user: JSON object did not contain a "email" string, referer: https://login.microsoftonli

[Tue Apr 30 17:28:51.249458 2019] [auth_openidc:error] [pid 43029] [client 11.12.11.2:60032] oidc_set_request_user: OIDCRemoteUserClaimis set to "email", but could not set the remote user based on the requested claim "email" and the available claims for the user, referer: https://login.microsoftonl

[Tue Apr 30 17:28:51.249474 2019] [auth_openidc:error] [pid 43029] [client 11.12.11.2:60032] oidc_handle_authorization_response: remote user could not be set, referer: https://login.microsofto

How to dig into this?

Author

Commented:
With those settings it seems to work:

  # The URL you have selected as endpoint
  OIDCRedirectURI https://openid-app.cloudnet.cloud/openid-start-session
  # OIDCCryptoPassphrase can be anything
  OIDCCryptoPassphrase zZZzzZZZaaaa
  # To work with Azure AD
  OIDCResponseType id_token OIDCResponseMode form_post
  # Azure AD connection
  OIDCProviderMetadataURL https://login.microsoftonline.com/anders1arbast.onmicrosoft.com/.well-known/openid-configuration
  OIDCProviderIssuer https://sts.windows.net/e98c0afb-9b00-47a5-b843-2a3e1a36e085/

  # Azure AD app info
  OIDCClientID d2e491bc-fa4f-456f-918a-4b14b004e45e
  OIDCClientSecret aaiaalwj2h3HrhYoIp0bHXazGsRIoWEy7+FY/Ys1dY=
David FavorFractional CTO
Distinguished Expert 2018

Commented:
The problem showing up in logs is because you have this in your VirtualHost container...

OIDCScope "openid email"

OIDCRemoteUserClaim email

Open in new window


Using the string email will likely never work.

You require a valid email address. Likely an address you check frequently + respond to, if contacted by Microsoft.

Author

Commented:
it works with:

OIDCResponseType id_token
OIDCResponseMode form_post


so if I remove

OIDCScope "openid email"
OIDCRemoteUserClaim email

it works

Author

Commented:
Thanks for the help. Now it works. It helps a lot to speak out :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial