我想使用 apache 设置 OIDC 模块来保护我的应用程序。 Okta 是我的 OP。我确实获得了登录页面,并且已正确重定向到应用程序(我目前仅在本地托管)。但我无法获取有关登录用户的信息。在开发过程中的某个时刻,我发现了一个 cookie“ln”,它为我提供了用户登录信息,但此后他就消失了。我现在唯一的 cookie 是“mod_auth_openidc_session”。
这里缺少什么?
<VirtualHost *:80>
ServerName docker.appname
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
DeflateCompressionLevel 9
</IfModule>
<Location />
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AuthType openid-connect
Require valid-user
Header append Vary User-Agent env=!dont-vary
</Location>
<IfModule mod_headers.c>
Header set Content-Security-Policy <long list of policies>
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=15768000"
Header unset X-Powered-By
Header set Server ""
</IfModule>
ProxyPass /api/ http://back:8080/app-service/api/ connectiontimeout=5 timeout=36000
ProxyPassReverse /api/ http://back:8080/app-service/api/
ProxyTimeout 600
ProxyPass /api/ !
ProxyPass / http://front:4200/
ProxyPassReverse / http://front:4200/
ProxyPreserveHost On
OIDCSSLValidateServer Off
OIDCProviderMetadataURL https://<issuer-url>/.well-known/oauth-authorization-server
OIDCProviderIssuer https://<issuer-url>
OIDCClientID <client-id>
OIDCClientSecret <client-secret>
OIDCRedirectURI http://localhost/login/callback
OIDCCryptoPassphrase <randomCryptoPassPhrase>
OIDCCookiePath /
OIDCScope "openid email profile"
OIDCInfoHook userinfo
OIDCRemoteUserClaim email
OIDCAuthNHeader email
</VirtualHost>
在我的例子中,我能够让用户在顶层设置这些设置(在任何目录或位置块之外:
OIDCRemoteUserClaim upn ^(.*)@(.*) $1
Header Set Oidc-User %{REMOTE_USER}e
您可能只需要 OIDCRemoteUserClaim 之后的第一个参数(对我来说是 upn)