MCPcopy Index your code
hub / github.com/OpenIDC/mod_auth_openidc

github.com/OpenIDC/mod_auth_openidc @v2.4.19.4

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.4.19.4 ↗ · + Follow
1,281 symbols 5,520 edges 120 files 811 documented · 63% updated 4d agov2.4.19.4 · 2026-07-01★ 1,089
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Build Status Quality Gate Status License OpenID Certification

mod_auth_openidc

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect 1.x and FAPI 2.x Relying Party functionality.

Overview

This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party (RP) towards an OpenID Connect Provider (OP). It relays end user authentication to a Provider and receives user identity information from that Provider. It then passes on that identity information (a.k.a. claims) to applications protected by the Apache web server and establishes an authentication session for the identified user.

The protected content, applications and services can be hosted by the Apache server itself or served from origin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The latter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without modifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based OpenID Connect Single Sign On (SSO).

By default the module sets the REMOTE_USER variable to the id_token [sub] claim, concatenated with the OP's Issuer identifier ([sub]@[iss]). Other id_token claims are passed in HTTP headers and/or environment variables together with those (optionally) obtained from the UserInfo endpoint. The provided HTTP headers and environment variables can be consumed by applications protected by the Apache server.

Custom fine-grained authorization rules - based on Apache's Require primitives - can be specified to match against the set of claims provided in the id_token/ userinfo claims, see here. Clustering for resilience and performance can be configured using one of the supported cache backends options as listed here.

For a complete overview of all configuration options, see the file auth_openidc.conf. This file can also serve as an include file for httpd.conf.

Installation

Preferably install one of the pre-built binary packages. On Debian/Ubuntu:

apt install libapache2-mod-auth-openidc

Packages for other platforms are listed in the Wiki, and release binaries are attached to the GitHub Releases.

To build from source (see INSTALL for the full dependency list):

./configure --with-apxs=/usr/bin/apxs2   # apxs2 may be named apxs on your platform
make
sudo make install

How to Use It

  1. install and load mod_auth_openidc.so in your Apache server
  2. set OIDCRedirectURI to a "vanity" URL within a location that is protected by mod_auth_openidc
  3. configure OIDCProviderMetadataURL so it points to the Discovery metadata of your OpenID Connect Provider served on the .well-known/openid-configuration endpoint
  4. register/generate a Client identifier and a secret with the OpenID Connect Provider and configure those in OIDCClientID and OIDCClientSecret respectively
  5. register the OIDCRedirectURI configured above as the Redirect or Callback URI for your client at the Provider
  6. configure your protected content/locations with AuthType openid-connect

A minimal working configuration would look like:

LoadModule auth_openidc_module modules/mod_auth_openidc.so

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://<hostname>/secure/redirect_uri

# required to persist sessions across restarts and share them across a cluster;
# when omitted a random passphrase is generated at each restart, invalidating existing sessions
OIDCCryptoPassphrase <passphrase-or-"exec:/path/to/generator">

OIDCProviderMetadataURL <issuer>/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>

<Location /secure>
   AuthType openid-connect
   Require valid-user
</Location>

For claims-based authorization with Require claim: directives see the Wiki page on Authorization. For details on configuring multiple providers see the Wiki.

Quickstart for specific Providers

See the Wiki for configuration docs for other OpenID Connect Providers.

Interoperability and Supported Specifications

mod_auth_openidc is OpenID Certified™ and supports the following specifications: - OpenID Connect Core 1.0 (Basic, Implicit, Hybrid and Refresh flows) - RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients - FAPI 2.0 Security Profile - FAPI 2.0 Message Signing - RFC 9126 - OAuth 2.0 Pushed Authorization Requests - RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP) - OpenID Connect Discovery 1.0 - OpenID Connect Dynamic Client Registration 1.0 - OAuth 2.0 Form Post Response Mode 1.0 - OAuth 2.0 Multiple Response Type Encoding Practices 1.0 - OpenID Connect Session Management 1.0 see the Wiki for information on how to configure it) - OpenID Connect Front-Channel Logout 1.0 - OpenID Connect Back-Channel Logout 1.0

Support

Community

Documentation can be found at the Wiki (including Frequently Asked Questions) at:
https://github.com/OpenIDC/mod_auth_openidc/wiki
For questions, issues and suggestions use the Github Discussions forum at:
https://github.com/OpenIDC/mod_auth_openidc/discussions

Security

To report a security vulnerability, please follow the process in SECURITY.md (e-mail support@openidc.com); do not file public issues for vulnerabilities.

Commercial

Licensed builds with support for Redis/Valkey over TLS, Redis Sentinel/Cluster as well as binary packages for Microsoft Windows, EOL Red Hat, Ubuntu and Debian releases, Oracle HTTP Server and IBM HTTP Server are available under a commercial agreement.

For inquiries about commercial - subscription based - support and licensing please contact:
sales@openidc.com

License

Apache License 2.0 - see LICENSE.txt.

Disclaimer

This software is open sourced by OpenIDC, a subsidiary of ZmartZone Holding B.V. For commercial services you can contact OpenIDC as described above in the Support section.

Core symbols most depended-on inside this repo

oidc_test_request_get
called by 438
test/util.c
oidc_test_cfg_get
called by 336
test/util.c
_oidc_strcmp
called by 236
src/const.h
oidc_test_cmd_get
called by 190
test/util.c
_oidc_strlen
called by 188
src/const.h
_oidc_strstr
called by 178
src/const.h
oidc_json_decref
called by 139
src/json.c
oidc_cfg_provider_get
called by 136
src/cfg/cfg.c

Shape

Function 1,202
Class 79

Languages

C96%
C++4%

Modules by API surface

src/jose.c76 symbols
src/session.c69 symbols
src/metrics.c66 symbols
src/http.c66 symbols
src/mod_auth_openidc.c61 symbols
src/cfg/cfg.c50 symbols
src/json.c48 symbols
test/stub.c46 symbols
src/cfg/provider.c38 symbols
src/cfg/dir.c33 symbols
src/cfg/parse.c32 symbols
src/handle/authz.c28 symbols

For agents

$ claude mcp add mod_auth_openidc \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page