How can I allow multiple authentication types in Apache?

WillRegelmann
May 18, 2020
272 views
0 votes
2 Answers

I have an Apache server using mod_auth_openidc. For one specific directory (the API), I’d like to allow bearer token authentication first with fallback to OpenID. Is that something I can accomplish with an .htaccess file in the API directory?

Desired behavior:
– If a request is made in the API directory:
– If an “Authorization: Bearer” header is set:
– use bearer authentication
– Otherwise:
– use OpenID Connect
– If a request is made in any other directory:
– use OpenID Connect

Answers

- HansZ
- May 21, 2020 at 8:39 am
- 0 votes
0
You can use AuthType auth-openidc see: https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect

Login or Signup to reply.

- user3258557
- March 25, 2022 at 12:06 am
- 0 votes
0
The below can help instruct apache 2.4 to use the proper AuthType via a <LOCATION> block. I have not tested it in a .htaccess file, but the concept should work there too.

This "IF/ELSE" config has been solid so far. Any other apache configuration resulted in mixed results when api calls were nested within the web apps path.

This IF statement checks for a Authorization: Bearer HTTP header in the request and routes to the proper AuthType as processed. Add in your Require claim directives as recommended.
```
<Location "/APP">
    <If "%{HTTP:Authorization} =~ m#^Bearer#i">
      AuthType oauth20
      Require claim aud:xxx
    </If>
    <Else>
      AuthType openid-connect
      Require claim client_id:xxx
    </Else>
    Require valid-user
</Location>
```
Also make sure your jwks endpoint directive is set on top of your original openidc provider configuration.

OIDCOAuthVerifyJwksUri https://{DOMAIN}/.well-known/jwks.json
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.