identity & security

SSO for Legacy Apps with Auth0, OpenID Connect & Apache

Auth0 SDKs make it really easy to add SSO to any app, on any platform. But sometimes, apps cannot be modified. What to do then? A very simple solution is to

Aug 22, 20142 min read

Auth0 SDKs make it really easy to add Single Sign On (SSO) to any app, on any platform. But sometimes, apps cannot be modified. What to do then?

A very simple solution is to front any web content with a web server that itself is capable of negotiating authentication for users. One web server with the extensibility required for plugging-in any auth is Apache server.

In this post, we'll learn how to install and configure

mod_auth_openidc
to work with Apache and Auth0.

How it works

Apache has plugable authentication modules that you can use to protect specific routes. One such module is modauthopenidc written by Hans Zandbelt.

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that allows users to authenticate using an OpenID Connect enabled Identity Provider.

When a user first attempts to access protected content behind Apache, the module will first redirect the user to the configured OpenID Connect identity provider. After the user is authenticated, access is granted to the actual resource:

image

Since Auth0 supports the OpenID Connect protocol (among many others), it is straight forward to configure the module with it:

OIDCProviderIssuer https://contoso.auth0.com
OIDCProviderAuthorizationEndpoint https://contoso.auth0.com/authorize
OIDCProviderTokenEndpoint https://contoso.auth0.com/oauth/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://contoso.auth0.com/userinfo

OIDCClientID 3g6d6c..........mXNxkAE
OIDCClientSecret _8sCbkTNhYk4..........8u3mdvRFWBx

OIDCScope "openid email profile"
OIDCRedirectURI https://your_apache_server/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCCookiePath /example/

SSLEngine on
SSLCertificateFile /home/your_cert.crt
SSLCertificateKeyFile /home/your_key.key

<Location /example/>
   AuthType openid-connect
   Require valid-user
   LogLevel debug
</Location>

How to configure it

First, you need to register a new app in Auth0. You will get a

clientId
and a
clientSecret
. These two go to the
OIDCClientID
and
OIDCClientSecret
params respectively. Then you need to setup SSL certs and define the protected locations (e.g.
/example
in the config file above).

Of course you will have to replace the Auth0 auth URLs with your actual account (contoso is used in the example above).

Any of Auth0 supported identity providers would work: Active Directory, LDAP, ADFS, SAML-P, custom databases or any of the 30+ social providers. Auth0 will bridge any protocol implemented by these identity systems with OpenID Connect.

It is also very easy to configure a specific connection in Auth0 if you add the

connection
parameter to the
OIDCProviderAuthorizationEndpoint
parameter:

OIDCProviderAuthorizationEndpoint https://contoso.auth0.com/authorize?connection=linkedin

Users will be sent directly to LinkedIn for authentication in this case.

That's it!

Want to learn more about Single Sign-On? Get The Definitive Guide on SSO (74-page free eBook) here.