Auth0 SDKs make it really easy to add Single Sign On (SSO) to any app, on any platform. But sometimes, apps cannot be modified. What to do then?
A very simple solution is to front any web content with a web server that itself is capable of negotiating authentication for users. One web server with the extensibility required for plugging-in any auth is Apache server.
In this post, we'll learn how to install and configure
mod_auth_openidc
to work with Apache and Auth0.
How it works
Apache has plugable authentication modules that you can use to protect specific routes. One such module is modauthopenidc written by Hans Zandbelt.
modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that allows users to authenticate using an OpenID Connect enabled Identity Provider.
When a user first attempts to access protected content behind Apache, the module will first redirect the user to the configured OpenID Connect identity provider. After the user is authenticated, access is granted to the actual resource:
Since Auth0 supports the OpenID Connect protocol (among many others), it is straight forward to configure the module with it:
OIDCProviderIssuer https://contoso.auth0.com OIDCProviderAuthorizationEndpoint https://contoso.auth0.com/authorize OIDCProviderTokenEndpoint https://contoso.auth0.com/oauth/token OIDCProviderTokenEndpointAuth client_secret_post OIDCProviderUserInfoEndpoint https://contoso.auth0.com/userinfo OIDCClientID 3g6d6c..........mXNxkAE OIDCClientSecret _8sCbkTNhYk4..........8u3mdvRFWBx OIDCScope "openid email profile" OIDCRedirectURI https://your_apache_server/example/redirect_uri/ OIDCCryptoPassphrase <password> OIDCCookiePath /example/ SSLEngine on SSLCertificateFile /home/your_cert.crt SSLCertificateKeyFile /home/your_key.key <Location /example/> AuthType openid-connect Require valid-user LogLevel debug </Location>
How to configure it
First, you need to register a new app in Auth0. You will get a
clientId
and a clientSecret
. These two go to the OIDCClientID
and OIDCClientSecret
params respectively. Then you need to setup SSL certs and define the protected locations (e.g. /example
in the config file above).Of course you will have to replace the Auth0 auth URLs with your actual account (contoso is used in the example above).
Any of Auth0 supported identity providers would work: Active Directory, LDAP, ADFS, SAML-P, custom databases or any of the 30+ social providers. Auth0 will bridge any protocol implemented by these identity systems with OpenID Connect.
It is also very easy to configure a specific connection in Auth0 if you add the
connection
parameter to the OIDCProviderAuthorizationEndpoint
parameter:OIDCProviderAuthorizationEndpoint https://contoso.auth0.com/authorize?connection=linkedin
Users will be sent directly to LinkedIn for authentication in this case.
That's it!
Want to learn more about Single Sign-On? Get The Definitive Guide on SSO (74-page free eBook) here.
About the author
Eugenio Pace
CEO and Co-Founder