Testing OIDC client registration
Liam Hoekenga
liamr at umich.edu
Wed May 15 16:48:04 EDT 2019
Hi Keith -
I found the mod_auth_openidc documentation re: dynamic registration lacking
as well.
I did get it working. I paired my config file down, and I *think* this is
the minimum working configuration...
OIDCMetadataDir /var/cache/httpd/mod_auth_openidc
OIDCRedirectURI https://sp.example.edu/oidc/dynamic/redirect_uri
OIDCCryptoPassphrase SECRET!!!!
The OIDC metadata directory needs to be writable by the user that httpd is
running as.
In that directory, you need to include a file for the OP you want to
authenticate against called "hostname.provider" (e.g.
"shibboleth.umich.edu.provider")
The file should contain the openid-configuration well-known information for
the OP.
Liam
On Wed, May 15, 2019 at 1:02 PM Wessel, Keith <kwessel at illinois.edu> wrote:
> Hi, all,
>
> This is less about how to configure the Shib OIDC extension and more about
> testing it. I've been using a simple CGI protected by Apache
> mod_auth_openidc to test things so far with a manually registered (in the
> static oidc-metadata.xml) RP. Now, I'm trying to test dynamic client
> registration.
>
> I've enabled all of the settings, but based on my IdP's Apache access log,
> the RP is only hitting the authorization endpoint.
>
> Is there a mod_auth_openidc directive to tell it to try and register
> first? Or some other way to pull off dynamic registration using
> mod_auth_openidc? I see nothing about it in the docs for the Apache module
> other than the fact that it's supported.
>
> Thanks,
> Keith
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/c80f1822/attachment.html>
More information about the users
mailing list