OpenIDConnectWithApache

From Request Tracker Wiki
Revision as of 14:34, 4 November 2016 by Anthnd (talk | contribs) (A guide on implementing OpenID Connect into Request Tracker)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Softwares used in this guide

- RT 4.4.1
- Apache
- mod_auth_openidc (an Apache module that does all the OpenIDC work)
- CentOS 7

Install and enable mod_auth_openidc

You can find it on Github here.

You can get the latest release here.


For Ubuntu:

sudo apt-get update
sudo apt-get install libapache2-mod-auth-openidc
a2enmod auth_openidc
service apache2 restart


For CentOS 7:

Get the links for the latest centos .rpm releases of cjose and mod_auth_openidc in the link above. You may also need to find a centos .rpm for hiredis - remember to expand the tab for the OS of your choice (CentOS 7 in this case).

Then simply,

yum install https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.1.0/cjose-0.4.1-1.el7.centos.x86_64.rpm
yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/h/hiredis-0.12.1-1.el7.x86_64.rpm
yum install https://github.com/pingidentity/mod_auth_openidc/releases/download/v2.1.0/mod_auth_openidc-2.1.0-1.el7.centos.x86_64.rpm

Now the mod_auth_openidc module should be installed.


Signing up with an OpenID Connect Provider

To authenticate users, your server needs to be able to talk to someone they trust to provide user identities. In this guide, we will use Google as our OpenID Connect Provider — almost everyone has a Google account. To be able to use Google's authentication services, you will need to visit their Developer console.

1. Find the Google+ API 2. If you click on it, there should be a little header saying you need to create a project. Click the Create Project button and proceed through the setup 3. You will be brought back to the Google+ API screen. On this page, press the Enable button near the top 4. In the left navigation pane, go to Credentials 5. Press the Create Credentials dropdown and select OAuth client ID 6. Configure the consent screen 7. Next, it should ask you to select an application type, pick Web application 8. Give your app a name and don't fill out the other blanks unless you know what they're going to be set up to already 9. There should be a popup telling you what your client ID and secret are — these will be needed later.


Configuring mod_auth_openidc

Now you have to piece everything together. You can read the mod_auth_openidc Documentation or Wiki pages to set everything up if you'd like, but I'll be providing a step-by-step procedure as well.

So, you're going to have to put some Apache config code somewhere to get mod_auth_openidc to start actually doing things.

For my environment, this is the path to my .conf file:

/etc/httpd/conf.d/mod_auth_openidc.conf

If you don't have a conf.d folder or some other problem, you can put the Apache config code at the end of your default Apache config file. For my environment, this is the path:

/etc/httpd/conf/httpd.conf

Whatever you choose to do, here are the basic settings that you will need to integrate Google's Sign in with Request Tracker:

# This is the link that Google uses to introduce itself and tell your server it's trustworthy
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration

# The credentials you were presented in the Google Dev Console
OIDCClientID a1b2c3d4e5f-j8f91083j0981j02909kd408tu.apps.googleusercontent.com
OIDCClientSecret as98jtg981jk02k0a

# Must match exactly with Authorized redirect URI in your Google Dev Console
OIDCRedirectURI http://localhost/oauth2callback

# Set this to whatever you want
OIDCCryptoPassphrase anypasswordhere

# This will set the environment variable REMOTE_USER to the user's email address instead of the default setting
OIDCRemoteUserClaim email
OIDCScope "openid email"

<Location />
    AuthType openid-connect
    Require valid-user
    LogLevel debug # If you want debug messages
</Location>


Configuring Request Tracker

In your RT_SiteConfig.pm file

Set( $WebRemoteUserAuth, 1 );


Work in progress

I'm going to add more after the weekend.