OIDCRedirectURI restrictions should be explained
I've recently converted an Apache Web site from using mod_ucam_webauth
to using mod_auth_openidc
. I was actually following the guidance for using Microsoft Entra ID as documented at https://help.uis.cam.ac.uk/service/accounts-passwords/it-staff/authenticate-users-to-azure-ad-openid-connect/set-up-apache-2, but the problem that I found also affects the Raven documentation at https://docs.raven.cam.ac.uk/en/latest/apache-oauth2/, which I've followed for earlier systems.
The problem is that the OIDCRedirectURI
directive has to point to somewhere on the site that's protected by mod_auth_openidc
. If it doesn't, the reply from the IdP doesn't get properly intercepted by mod_auth_openidc
. This isn't mentioned in your documentation, which just says, "It doesn't matter what you choose as a redirect URI as long as it doesn't conflict with any other URL on your website." That's true if the whole site is to be protected, but the page later says, "Configuring mod_auth_openidc does not actually cause the website to be Raven enabled. You must explicitly specify locations within a site which require sign in," which implies that the reader can selectively protect only parts of the site and expect the recipe to work.
The approach that I took to make this work on my site (after an embarrassing amount of time beating my head against the problem) was to explicitly protect the redirect URL:
OIDCRedirectURI "/.oidc/redirect"
<Location "/.oidc">
# Make sure that the redirect URI is caught by mod_auth_openidc.
AuthType openid-connect
Require valid-user
</Location>
I'm not sure that's the best approach, but it does seem to work.