Testing OIDC client registration

Liam Hoekenga liamr at umich.edu
Wed May 15 16:48:04 EDT 2019

Hi Keith -

I found the mod_auth_openidc documentation re: dynamic registration lacking
as well.
I did get it working.  I paired my config file down, and I *think* this is
the minimum working configuration...

        OIDCMetadataDir /var/cache/httpd/mod_auth_openidc
        OIDCRedirectURI https://sp.example.edu/oidc/dynamic/redirect_uri
        OIDCCryptoPassphrase SECRET!!!!

The OIDC metadata directory needs to be writable by the user that httpd is
running as.
In that directory, you need to include a file for the OP you want to
authenticate against called "hostname.provider" (e.g.
The file should contain the openid-configuration well-known information for
the OP.


On Wed, May 15, 2019 at 1:02 PM Wessel, Keith <kwessel at illinois.edu> wrote:

> Hi, all,
> This is less about how to configure the Shib OIDC extension and more about
> testing it. I've been using a simple CGI protected by Apache
> mod_auth_openidc to test things so far with a manually registered (in the
> static oidc-metadata.xml) RP. Now, I'm trying to test dynamic client
> registration.
> I've enabled all of the settings, but based on my IdP's Apache access log,
> the RP is only hitting the authorization endpoint.
> Is there a mod_auth_openidc directive to tell it to try and register
> first? Or some other way to pull off dynamic registration using
> mod_auth_openidc? I see nothing about it in the docs for the Apache module
> other than the fact that it's supported.
> Thanks,
> Keith
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/c80f1822/attachment.html>

More information about the users mailing list