You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! I took over this application that was built a couple of years ago. There are some pieces about authentication and authorization that have been confusing to me. Could you please help me understand it better? Thanks!
I read below from README document of this github repo:
The protected content, applications and services can be hosted by the Apache server itself or served from origin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The latter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without modifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based OpenID Connect Single Sign On (SSO).
IdP: Azure Entra ID - Registered as an app, IdP created client_id and client_secret.
apache httpd: We configured as below:
# This section contains the configuration for the mod_auth_openidc module
# which manages authentication of our users before exposing content
OIDCProviderMetadataURL https://login.microsoftonline.com/YYYYYYYYYYYYYYYYYYYYYYYYYYYY/v2.0/.well-known/openid-configuration
OIDCClientID XXXXXXXXXXXXXXXXXXXX
OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXX
OIDCProviderJwksUri https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXX/discovery/v2.0/keys
OIDCRedirectURI https://one.xxxxx.com/done
OIDCCryptoPassphrase XXXXXXXXXXXXXXXXXXX
OIDCSSLValidateServer Off
OIDCCacheType redis
OIDCRedisCacheServer localhost:6379
OIDCRedisCachePassword XXXXXXXXXXXXXXX
OIDCStateMaxNumberOfCookies 10 true
OIDCUnAuthAction 401 "%{REQUEST_URI} =~ /.*static.*/"
#
# https://github.com/zmartzone/mod_auth_openidc
#
<Location />
AuthType openid-connect
Require valid-user
</Location>
Our app is written in ReactJS. They call it a Single Page App (SPA). We registered this app in Azure Entra ID as a separate app. We use client_id. It didn't need a client_secret. In Azure authentication section, we defined it in both Web Redirect URI and SPA implicit flow redirect. I am not sure why it was done like this.
We use Authorization code flow. My questions, How does apache OIDC work here? Does it get id token for the SPA or MSALjs gets the id token and access token for the SPA?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi! I took over this application that was built a couple of years ago. There are some pieces about authentication and authorization that have been confusing to me. Could you please help me understand it better? Thanks!
I read below from README document of this github repo:
The protected content, applications and services can be hosted by the Apache server itself or served from origin server(s) residing behind it by configuring Apache as a Reverse Proxy in front of those servers. The latter allows for adding OpenID Connect based authentication to existing applications/services/SPAs without modifying those applications, possibly migrating them away from legacy authentication mechanisms to standards-based OpenID Connect Single Sign On (SSO).
Below are some attributes about our application.
Name: https://one.xxxx.com
IdP: Azure Entra ID - Registered as an app, IdP created client_id and client_secret.
apache httpd: We configured as below:
Our app is written in ReactJS. They call it a Single Page App (SPA). We registered this app in Azure Entra ID as a separate app. We use client_id. It didn't need a client_secret. In Azure authentication section, we defined it in both Web Redirect URI and SPA implicit flow redirect. I am not sure why it was done like this.
We use Authorization code flow. My questions, How does apache OIDC work here? Does it get id token for the SPA or MSALjs gets the id token and access token for the SPA?
Please let me know if you need more information.
Any info would be really appreciated. Thanks!
Beta Was this translation helpful? Give feedback.
All reactions