问题描述

我正在尝试设置一个反向代理，该反向代理需要针对OpenID Connect Identity Provider进行身份验证.

I'm trying to setup a reverse proxy that requires authentication against an OpenID Connect Identity Provider.

然后，用户授予反向代理访问其数据的权限.

The User then grants the reverse proxy access to his data.

仅当用户是特定LDAP组的成员时，代理才能访问某些应用程序.可悲的是，应用程序是转储文件，无法授权自己，因此反向代理必须处理该部分.

Some applications behind the proxy are only accessible by the user if he is the member of specific LDAP groups. Sadly the applications are the dump and cannot authorize themselves, so the reverse proxy must handle that part.

使用 mod_auth_openidc 设置身份验证部分并不难. 我所苦恼的是授权部分.我有一个使用 mod_authnz_ldap 的示例，该示例需要用户名和密码通过 BasicAuth .

It wasn't so hard to setup the authentication part with mod_auth_openidc. What I struggle with is the authorization part. I have a working example with mod_authnz_ldap that requires username and password over BasicAuth.

使用OpenID Connect的想法是资源服务器(在我的情况下为代理)永远不会知道用户的密码，也不必检查密码.这将委托给OpenID Connect身份提供程序.

The idea with OpenID Connect is that Resource Server (the proxy in my case) will never know the user's password and does not have to check it. That is delegated to the OpenID Connect Identity Provider.

因此，我没有此方法所需的密码.我的想法是用oidc auth创建一个虚拟主机，该虚拟主机拒绝来自客户端的某些标头，例如x-my-oidc-username，一旦通过身份验证就设置此标头，并将请求传递给127.0.0.1上的另一个vhost绑定，因此不能绕过身份验证直接访问它.该虚拟主机仅将标头用作经过身份验证的用户名并运行LDAP授权.

So I don't have the password needed for this approach. My idea was to create a virtual host with oidc auth that refuses some header like x-my-oidc-username from clients, sets this header once authenticated and passes the request to another vhost binding on 127.0.0.1 so it cannot be accessed directly bypassing authentication. That vhost just takes the header as the authenticated username and runs the LDAP authorization.

我还没有一种方法可以跳过身份验证阶段并从其他位置(例如OpenID Connect ID令牌)或我的自定义标头中获取用户名.

I haven't seen a way to just skip the Authentication Phase of the ldap module and take the username from somewhere else like the OpenID Connect ID Token or from my custom header.

有什么想法/建议/方法/技巧吗?

Any ideas/suggestions/approaches/tips?

推荐答案

此处有一篇文章展示了如何组合mod_auth_openidc和mod_authnz_ldap: https://github.com/pingidentity/mod_auth_openidc/wiki/Authorization#2- mod_authnz_ldap :

There's an article that shows how to combine mod_auth_openidc and mod_authnz_ldap here:https://github.com/pingidentity/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap:

OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCRedirectURI http://example.com/example/redirect_uri
OIDCScope "openid email profile"

# Set REMOTE_USER to the email address.
# this is the value that mod_authnz_ldap leverages as the first parameter after basedn.
# in the example below, REMOTE_USER = email = mail attribute in LDAP.

OIDCRemoteUserClaim email
<Location /example/>
  AuthType openid-connect
  AuthLDAPURL "ldap://example.com/ou=people,dc=example,dc=com?mail?sub?(objectClass=*)"
  AuthLDAPGroupAttribute member
  Require ldap-group cn=myTestAccesss,ou=Groups,dc=example,dc=com
</Location>

这篇关于通过OpenID Connect进行身份验证并通过ldap进行授权的Apache2反向代理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！