# Mod Auth OpenIDC #### Configuration * Install mod_auth_openidc for Apache: *Use* ***apt install libapache2-mod-auth-openidc*** *for a Debian system.* * Load the module in Apache via httpd.conf: ```exp LoadModule auth_openidc_module modules/mod_auth_openidc.so ``` *Use* ***a2enmod mod_auth_openidc*** *and restart Apache for Debian* * Complete Apache's httpd.conf file. *The following example requires customization according to your context.* ```exp # Server setup ServerName myapplication.tld # ... your particular directives ... # OpenID Connect setup OIDCProviderMetadataURL https://mydomain.trustelem.com/app/146XXX/.well-known/openid-configuration OIDCClientID trustelem.oidc.XXXXXXXXX OIDCClientSecret XXXXXXXX OIDCRedirectURI https://myapplication.tld/redirect_uri OIDCCryptoPassphrase XXXXXXXX OIDCScope "openid" AuthType openid-connect Require valid-user # Specific session cookie durations (seconds) OIDCSessionInactivityTimeout 300 OIDCSessionMaxDuration 36000 ``` The **OIDCCryptoPassphrase** parameter is used in particular for encrypting user session cookies. * For logging out users from inside the application, you have to associate a logout URL to an HTML element like a button or a link. This URL is defined by the redirect_uri with a ***logout=*** parameter and the post-logout URL in a URL-encoded format. *For example, the logout URL could be:* ***`https://myapplication.tld/redirect_uri?logout=https%3A%2F%2Fmyapplication.tld`*** * Setup Trustelem with the following parameters: **- RedirectURI:** this URL is defined in the web server configuration (see httpd.conf). *With the previous example, the RedirectURI would be:* ***`https://myapplication.tld/redirect_uri`*** **- Login URL:** the application's URL starting the OIDC flow. It is used as a target for the application on the Trustelem user's dashboard. *With the previous example, the URL would be:* ***`https://myapplication.tld/sso-login`*** **- PostLogoutRedirectURI:** the URL that indicates where to go after a logout. It is usually defined in the logout HTML element of your application. *With the previous logout example, the PostLogout URL would be:* ***`https://myapplication.tld`*** #### Notes * The attributes sent by Trustelem are provided to the application under the designation **$_SERVER["OIDC_CLAIM_nom"]**, where the name is defined in the Trustelem-hosted script in the field called **custom claims**. *For example, if you add the following custom claim, you will find the user firstname into the variable* ***$_SERVER["OIDC_CLAIM_attr1"]***:* ```ts claims["attr1"] = user.firstname; ``` * If the user authenticated with mod_auth_openidc doesn't exist in the application, we recommend to create the user using the attributes sent by Trustelem. This auto-provisioning system enables the implementation of internal rights management based on attributes sent by Trustelem. This completes access control policies defined in Trustelem.