This blog post will guide you through implementing Apache authentication against Google Apps using OpenID Connect. I’ll also describe (lightly) how OAuth 2.0 flows work, as OAUth 2.0 is leveraged by OpenID Connect.
How does the OAuth 2 flow work?
Once understood, the flow is fairly simple:
- User requests a URL: https://www.cloudavail.com/protected/, for example.
- On this initial request the client does not send any authentication information, and the server is configured to require authentication
- The server redirects the user to a particular URL http://accounts.google.com/o/oauth2 for example. This URL is a parameter given to the mod_auth_openidc module.
- The user visits the particular URL at which they agree to share information with a third party. In this particular case, the user is authorizing google.com to share data with CloudAvail.
- Google then redirects the user back to a URL at CloudAvail. For example, the user would be redirected to the following URL: https://www.cloudavail.com/protected/oauth2callback – and this time, with a code provided in the query string. Example https://www.cloudavail.com/protected/oauth2callback?code=4im6WNBK5UF9. The code can then be used to request data from the Google API.
- When it is confirmed that the user exists (and is authorized to access a given resource) the user is the redirected to the originally requested page: https://www.cloudavail.com/protected/.
How to implement ?
As of this writing mod_auth_openidc is the only OpenID Connect module for Apache. I implemented using the mod_auth_openidc using Apache 2.7.4 on Ubuntu 14.0.4.
Create a Google Project:
- Go to https://console.developers.google.com/project
- Select “Create Project” and provide a project name and project ID.
Configure the Google Project:
- In “APIs” you will need to enable the “Google+ API.” See screenshot below:
- In “Credentials” you will need to create a new OAuth key.
- You’ll want to select the “Web application” type
- for the “Authorized Redirect URI” you’ll want to provide a URL that is resolvable but does not serve content – this URL is used to receive the code that will be returned by the Google API. See screenshot below:
- for the “Authorized Redirect URI” you’ll want to provide a URL that is resolvable but does not serve content – this URL is used to receive the code that will be returned by the Google API. See screenshot below:
- Configure a “Consent Screen” (note that a “Product Name” is required for use of OAuth 2.0)
- In “APIs & auth” enter a “Product Name” and/or Logo. This will be displayed to users who are accessed to allow your application to access data stored in Google Apps.
Download and Install the mod_auth_openidc Module
# download the mod_auth_openidc Module wget https://github.com/pingidentity/mod_auth_openidc/releases/download/v1.4/libapache2-mod-auth-openidc_1.4_amd64.deb # enable the mod_auth_openidc Module sudo dpkg -i libapache2-mod-auth-openidc_1.4_amd64.deb
Configure Apache to utilize the mod-auth-openidc Module
The documentation in https://github.com/pingidentity/mod_auth_openidc/blob/master/README for Google Apps is correct. One note:
OIDCRedirectURI must match exactly to the Authorized Redirect URI of your project.
Enable the mod_auth_openidc module and restart Apache
# Enable the mod_auth_openidc Connect Module sudo a2enmod auth_openidc # Restart Apache with the mod_auth_openidc Module Enabled sudo service apache2 restart
Questions or Comments?
Please feel free to post either questions or comments.