Auth0 SDKs make it really easy to add SSO to any app, on any platform. But sometimes, apps cannot be modified. What to do then? A very simple solution is to
A very simple solution is to front any web content with a web server that itself is capable of negotiating authentication for users. One web server with the extensibility required for plugging-in any auth is Apache server.
In this post, we'll learn how to install and configure
mod_auth_openidc to work with Apache and Auth0.
How it works
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that allows users to authenticate using an OpenID Connect enabled Identity Provider.
When a user first attempts to access protected content behind Apache, the module will first redirect the user to the configured OpenID Connect identity provider. After the user is authenticated, access is granted to the actual resource:
Since Auth0 supports the OpenID Connect protocol (among many others), it is straight forward to configure the module with it:
OIDCProviderIssuer https://contoso.auth0.com OIDCProviderAuthorizationEndpoint https://contoso.auth0.com/authorize OIDCProviderTokenEndpoint https://contoso.auth0.com/oauth/token OIDCProviderTokenEndpointAuth client_secret_post OIDCProviderUserInfoEndpoint https://contoso.auth0.com/userinfo OIDCClientID 3g6d6c..........mXNxkAE OIDCClientSecret _8sCbkTNhYk4..........8u3mdvRFWBx OIDCScope "openid email profile" OIDCRedirectURI https://your_apache_server/example/redirect_uri/ OIDCCryptoPassphrase <password> OIDCCookiePath /example/ SSLEngine on SSLCertificateFile /home/your_cert.crt SSLCertificateKeyFile /home/your_key.key <Location /example/> AuthType openid-connect Require valid-user LogLevel debug </Location>
How to configure it
First, you need to register a new app in Auth0. You will get a
clientId and a
clientSecret. These two go to the
OIDCClientSecret params respectively. Then you need to setup SSL certs and define the protected locations (e.g.
/example in the config file above).
Of course you will have to replace the Auth0 auth URLs with your actual account (contoso is used in the example above).
Any of Auth0 supported identity providers would work: Active Directory, LDAP, ADFS, SAML-P, custom databases or any of the 30+ social providers. Auth0 will bridge any protocol implemented by these identity systems with OpenID Connect.
It is also very easy to configure a specific connection in Auth0 if you add the
connection parameter to the
Users will be sent directly to LinkedIn for authentication in this case.