Testing OIDC client registration

Wessel, Keith kwessel at illinois.edu
Wed May 15 17:33:57 EDT 2019

Thanks, Liam. I have everything but the metadata directory defined. I assumed that was a default since it already exists and was created when I installed the module from RPM.

One question before I try this, though: why do I have to manually download the OP’s metadata and install it? Isn’t part of the whole thing the module’s ability to dynamically discover and download the OP’s information?


From: users <users-bounces at shibboleth.net> On Behalf Of Liam Hoekenga
Sent: Wednesday, May 15, 2019 3:48 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Testing OIDC client registration

Hi Keith -

I found the mod_auth_openidc documentation re: dynamic registration lacking as well.
I did get it working.  I paired my config file down, and I *think* this is the minimum working configuration...

        OIDCMetadataDir /var/cache/httpd/mod_auth_openidc
        OIDCRedirectURI https://sp.example.edu/oidc/dynamic/redirect_uri
        OIDCCryptoPassphrase SECRET!!!!

The OIDC metadata directory needs to be writable by the user that httpd is running as.
In that directory, you need to include a file for the OP you want to authenticate against called "hostname.provider" (e.g. "shibboleth.umich.edu.provider")
The file should contain the openid-configuration well-known information for the OP.


On Wed, May 15, 2019 at 1:02 PM Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
Hi, all,

This is less about how to configure the Shib OIDC extension and more about testing it. I've been using a simple CGI protected by Apache mod_auth_openidc to test things so far with a manually registered (in the static oidc-metadata.xml) RP. Now, I'm trying to test dynamic client registration.

I've enabled all of the settings, but based on my IdP's Apache access log, the RP is only hitting the authorization endpoint.

Is there a mod_auth_openidc directive to tell it to try and register first? Or some other way to pull off dynamic registration using mod_auth_openidc? I see nothing about it in the docs for the Apache module other than the fact that it's supported.


For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/c4c6f8f4/attachment.html>

More information about the users mailing list