Re: [OpenXPKI-users] Openxpki Community Edition and Authentication with Apache2 and OIDC

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Thomas,

AI does not play well with OpenXPKI Config - there is no such parameter 
like username_env

You can either use REMOTE_USER or OPENXPKI_USER, passing other envvars 
is described here 
https://openxpki.readthedocs.io/en/master/configuration/realm.html#stack

BasicAuth:
     handler: NoAuth
     type: client
     envkeys:
         email: AUTH_PROVIDER_email_field

You must pass "username"  and "role" via ENV - and if you are using the 
new setup with Mojolicious you need to passthru the headers to the socket.

Easier solution: Get an EE License, there is a ready to use OIDC module 
included ;)

Oliver

On 12/1/25 11:54, Thomas Gebert wrote:
> Hello,
>
> I'm trying for days now to complete my setup for an authentication 
> with keycloak and Apache2.
>
> Login over keycloak works and the apache logs show that all need 
> information (username, email) is set by apache.
>
> But I can't get the setup on the Openxpki side to work.
>
> Here are my settings:
>
> Apache2:
>
> <VirtualHost *:443>
>
>     ServerAlias *
>     DocumentRoot /var/www/
>
>     RewriteEngine On
>
>     LogFormat "%h %l %{REMOTE_USER}e %{HTTP_X_REMOTE_USER}e 
> %{OPENXPKI_SSO_ROLE}e %t \"%r\" %>s %b" openxpki_debug
>     CustomLog /var/log/apache2/openxpki_debug.log openxpki_debug
>
>
>
>     SSLEngine On
>     SSLCertificateFile '/etc/certs/default_cert.crt'
>     SSLCertificateKeyFile '/etc/certs/default_key.key'
>
>     SSLCACertificateFile /etc/certs/ca_selfsigned.crt
>     SSLVerifyClient optional_no_ca
>     SSLVerifyDepth 3
>     SSLOptions +StdEnvVars +ExportCertData
>
>     # HTTPS specific preparation for Mojolicious based client services
>     <IfModule mod_headers.c>
>         Use OxiForwardEnv SSL_CLIENT_S_DN
>         Use OxiForwardEnv SSL_CLIENT_CERT
>     </IfModule>
>
>     # Minimum mod_auth_openidc configuration
>     OIDCProviderMetadataURL 
> https://<keycloak-machine>:8443/realms/<myrealm>/.well-known/openid-configuration
>     OIDCClientID openxpki
>     OIDCClientSecret "mypassword"
>     OIDCRedirectURI "https://<keycloak02-machine>/oidc_callback"
>     OIDCCryptoPassphrase "mypassphrase"
>     OIDCRemoteUserClaim preferred_username
>     OIDCScope "openid profile email"
>     OIDCPassClaimsAs environment
>
>     # GLOBAL after OIDC, bfore Proxy!
>     RequestHeader set X-Remote-User "%{OIDC_CLAIM_preferred_username}e"
>     RequestHeader set X-Email "%{OIDC_CLAIM_email}e"
>     RewriteRule .* - [E=OPENXPKI_SSO_ROLE:User,NE]
>
>     <Location />
>       AuthType openid-connect
>       Require valid-user
>     </Location>
>
>     <Location /oidc_callback>
>       AuthType openid-connect
>       Require valid-user
>     </Location>
>
> ...
>
> stack.yaml:
>
> _System:
>   handler: System
>
> BasicAuth:
>   handler: NoAuth
>   label: "Keycloak SSO"
>   param:
>     username_env: OIDC_CLAIM_preferred_username
>     role_env: OPENXPKI_SSO_ROLE
>
>
> handler.yaml:
>
> # Those stacks are usually required so you should not remove them
> Anonymous:
>     type: Anonymous
>     label: Anonymous
>
> System:
>     type: Anonymous
>     role: System
>
> # Read the userdata from a YAML file defined in auth/connector.yaml
> LocalPassword:
>     type: Password
>     user@: connector:auth.connector.userdb
>
> NoAuth:
>   type: NoAuth
>
>
> client.d/service/webui/default.yaml:
> ...
> # customize redirect target on "first contact"
> # might be replaced / merged with new realm overview
> login:
>     # Preset an auth stack to use, prevents the drop down
>     stack: BasicAuth
>
>     # Redirect to a inline page handler instead of the default login 
> screen
>     # With the source module, this makes it easy to show some text
>     # FIXME - this is currently not working!
>     # page: source!html!file!login
>
>     # Redirect to an external page, can be a local or absolute 
> external url
>     # url: https://login.example.com/
>
> ...
> realm:
>     # Controls how requests are mapped to realms
>     #   select
>     #     Shows a realm selection page (default if nothing is set).
>     #   path|hostname
>     #     Expects a map defined in the [realm] section (see below)
>     mode: path
>
>     # Layout of the realm selection page:
>     #   card
>     #       Display realm cards in a grid (default)
>     #   list
>     #       Display realm cards as a vertical list
>     layout: card
>
>     # fixed mode
>     #value: democa
>
>     # map path compontent / hostname to realm (based on mode)
>     map:
>         # with mode: path
>         myrealm: myrealm
>         # rootca: rootca
>         # with mode: hostname
>         # demo.pki.example.com: democa
>
> I'm really frustrated that I can't figure out where the problem is.
>
> Can anybody help me on this topic?
>
> Kind regards,
>
> Thomas
>
-- 
Protect your environment -  close windows and adopt a penguin!