mod auth openidc setup authentication

Stepped up authn with mod_auth_openidc

Based on instructions on mod_auth_oidc doc

Prerequisites

1. Gluu Server 4.0.
2. Apache 2 web server
3. mod_auth_openidc plugin

Create OpenID connect client in gluu server.

1. Log in to oxtrust admin panel.
2. Navigate to OpenID connect
3. In client section, click on add client.
4. Create a client by providing appropriate login redirect_uri, scope , grant uri and response type.
5. Note down client secret and client id.

Enable and setup DUO script for 2 factor authentication.

1. Login in to oxtrust admin panel.
2. In Configuration section move to manage custom script.
3. Enable and setup duo script by following the document (https://gluu.org/docs/ce/authn-guide/duo/)

Note Since we don't need duo as default authentication so don't enable under Configuration > Manage Authentication > Default Authentication Method.

How to setup mod auth openidc for setup

We need to setup two authentication for two level of the site, suppose top level '/' only requires password authentication while within the site, there is folder '/2fa' which requires two factor authentication.

1. vi /etc/apache2/sites-available/default-ssl.conf

OIDCProviderMetadataURL <gluu server host name>/.well-known/openid-configuration
OIDCClientID client id
OIDCClientSecret client secret
OIDCRedirectURI <web server hostname >
OIDCResponseType code
OIDCScope "openid profile email"
OIDCSSLValidateServer Off
OIDCCryptoPassphrase test1
OIDCPassClaimsAs environment
OIDCClaimPrefix USERINFO_
OIDCPassIDTokenAs payload
<Location "/">
    Require valid-user
    AuthType openid-connect
</ Location>

<Location "/2fa/">
  AuthType openid-connect
  Require claim acr:duo
  OIDCUnAutzAction auth
  OIDCPathAuthRequestParams acr_values=duo
  Require valid-user 
</ Location>