Wednesday, May 9, 2012

Using Apache2's mod_auth_openid...

A previous writeup discussed how to implement Google Apps user-based authentication with Apache2. The advantage is that you can implement single sign-on (SSO) to your web application through Google Apps instead of relying on username/passwords generated in .htacesss files. One problem with this approach is that it requires a few custom PHP scripts and Memcached to implement.

In search of a better way, I came upon the mod_auth_openid Apache2 module, which uses OpenID to implement user authentication for Apache2. If you're curious about how to implement the Apache2 OpenID module, here's how we got things to work.

1. First, you need to make sure you've enabled OpenID Federated Login on your Google Apps domain. See this link (item #1) for more information.

 2. If you're running Ubuntu v10.04, the mod_auth_openid that comes with the package is v.3, which doesn't include the AuthOpenIDAXUsername feature added in v0.6. You will need to download and compile your own version of mod_auth_openid at: http://findingscience.com/mod_auth_openid/releases.html You can also fork a copy of the source at: git://github.com/bmuller/mod_auth_openid.git

 3. You'll need to have a minimum these packages to install mod_auth_openid. Without automake, you'll be unable to run the run_autogen.sh shell script that has other dependencies. Curl (v4) needs to be installed, as well as the libopkle-dev package.
sudo apt-get install automake
sudo apt-get install autotools-dev
sudo apt-get install libtool
sudo apt-get install libtidy-dev
sudo apt-get install libcurl4-openssl-dev
sudo apt-get install libopkele-dev

Your installation would then be:
./autogen.sh
./configure
make

4. The next step is to run autogen.sh, configure, and make the mod_auth_open code. Once you've successfully compiled it, you need to copy src/.libs/mod_auth_openid.so to /usr/lib/apache2/modules. Your Apache2 configuration needs to look like:
  <Location "/">
      LoadModule authopenid_module /usr/lib/apache2/modules/mod_auth_openid.so
      AuthType OpenID
      require valid-user
  
      AuthOpenIDTrusted ^https://www.google.com/accounts/o8/ud
      AuthOpenIDAXRequire email http://openid.net/schema/contact/email @yourgoogleappsdomain\.com
      AuthOpenIDSingleIdP https://www.google.com/accounts/o8/id
      AuthOpenIDAXUsername email
      AuthOpenIDSecureCookie Off  # off for now
  </Location>

The AuthOpenIDTrusted and AuthOpenIDSIngleIdp ensure that the Google Apps will be the only trusted Identity Provider (IdP). The OAuthOpenIDAXRequire allows you to retrieve the Google Apps email using the http://openid.net/schema/contact/email attribute to request the user logging in and forcing the regex to match that of of your Google Apps domain. The latter required a bit of trial and error after reading through the Getting Started documentation from Google to figure out.

There are other installation details about getting the plugin setup, but hope this gives an intro about how to take advantage of some of the newest features of the Apache2 OpenID module!

No comments:

Post a Comment