mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 04:27:02 +01:00
47 lines
1.6 KiB
Plaintext
47 lines
1.6 KiB
Plaintext
# this is a template file to set up an oauth2 RP for testing
|
|
# LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
|
|
LogLevel debug
|
|
ErrorLog /dev/stderr
|
|
TransferLog /dev/stdout
|
|
<IfModule mod_ssl.c>
|
|
<VirtualHost *:443>
|
|
ServerName localhost
|
|
|
|
SSLEngine on
|
|
# use the results from insecure_generate_certs.sh - super handy
|
|
SSLCertificateFile /certs/cert.pem
|
|
SSLCertificateKeyFile /certs/key.pem
|
|
|
|
# since we're using a self-signed cert we have to disable this
|
|
OIDCSSLValidateServer Off
|
|
OIDCProviderMetadataURL https://${KANIDM_HOSTNAME}:${KANIDM_PORT}/oauth2/openid/test_rp/.well-known/openid-configuration
|
|
OIDCClientID test_rp
|
|
OIDCClientSecret ${KANIDM_CLIENT_SECRET}
|
|
OIDCUserInfoTokenMethod authz_header
|
|
OIDCPKCEMethod S256
|
|
OIDCCookieSameSite On
|
|
|
|
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
|
|
# When not defined, the bare minimal scope "openid" is used.
|
|
# OIDCScope "openid"
|
|
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
|
|
OIDCRedirectURI https://${OAUTH_HOSTNAME}/redirect_url
|
|
OIDCCryptoPassphrase Th1sIsA5uperS3cretP4ssphraseD0ntT3llTh3Cr4bz
|
|
|
|
OIDCUserInfoRefreshInterval 300
|
|
OIDCJWKSRefreshInterval 300
|
|
|
|
OIDCSessionInactivityTimeout 300
|
|
OIDCSessionType client-cookie:persistent
|
|
|
|
# preferred_username
|
|
OIDCRemoteUserClaim preferred_username
|
|
|
|
<Location />
|
|
AuthType openid-connect
|
|
Require valid-user
|
|
</Location>
|
|
|
|
</VirtualHost>
|
|
</IfModule>
|