A module for Apache HTTP Server 2.x that makes the Apache web server operate as a OAuth 2.0 Resource Server, validating OAuth 2.0 access tokens and setting headers/environment variables based on the validation results.
Reference Bearer Access Token validation using RFC7662 based introspection:
AuthType oauth2
OAuth2TokenVerify introspect https://pingfed:9031/as/introspect.oauth2 introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs0&client_secret=2Federate
JWT Bearer Access Token validation using a set of JWKs published on a jwks_uri
:
AuthType oauth2
OAuth2TokenVerify jwks_uri https://pingfed:9031/ext/one jwks_uri.ssl_verify=false
RFC 8705 Mutual TLS Certificate (optionally) Bound JWT Access Token validation with a known JWK
AuthType oauth2
OAuth2TokenVerify jwk "{\"kty\":\"RSA\",\"kid\":\"one\",\"use\":\"sig\",\"n\":\"12SBWV_4xU8sBEC2IXcakiDe3IrrUcnIHexfyHG11Kw-EsrZvOy6PrrcqfTr1GcecyWFzQvUr61DWESrZWq96vd08_iTIWIny8pU5dlCoC7FsHU_onUQI1m4gQ3jNr00KhH878vrBVdr_T-zuOYQQOBRMEyFG-I4nb91zO1n2gcpQHeabJw3JIC9g65FCpu8DSw8uXQ1hVfGUDZAK6iwncNZ1uqN4HhRGNevFXT7KVG0cNS8S3oF4AhHafFurheVxh714R2EseTVD_FfLn2QTlCss_73YIJjzn047yKmAx5a9zuun6FKiISnMupGnHShwVoaS695rDmFvj7mvDppMQ\",\"e\":\"AQAB\" }" type=mtls&mtls.policy=optional
SSLVerifyClient optional_no_ca
RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) validation using introspection (using liboauth > 1.5.2)
OAuth2TokenVerify introspect https://pingfed:9031/as/introspect.oauth2 introspect.ssl_verify=false&introspect.auth=client_secret_basic&client_id=rs_client&client_secret=2Federate&type=dpop
For a detailed overview of configuration options see the oauth2.conf
Apache configuration file in this directory.
As provided by the liboauth2
dependency, including:
- per-directory configuration over per-virtual host
- flexible cache configuration per cached element type
- specify multiple token verification options, tried sequentially (allow for key/algo rollover)
- claims-based authorization capabilities see: https://github.com/OpenIDC/mod_oauth2/wiki#authorization
- etc.
For generic questions, see the Wiki pages with Frequently Asked Questions at:
https://github.com/OpenIDC/mod_oauth2/wiki
Any questions/issues should go to issues tracker.
For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
[email protected]
This software is open sourced by OpenIDC. For commercial support you can contact OpenIDC as described above in the Support section.