Mod_auth_openidc

mod_auth_openidc is an OpenID Certified™, open-source Apache HTTP Server module that enables Apache to function as an OpenID Connect (OIDC) Relying Party (RP) for standards-based single sign-on (SSO). It supports modern OAuth 2.0 and OIDC capabilities, such as PKCE, PAR, DPoP, and Dynamic Client Registration and can secure applications served directly by Apache or proxied behind it by injecting authenticated user claims into headers and environment variables.

Key Capabilities

• Standards-based OIDC client (RP): Implements Authorization Code, Hybrid, and Implicit flows with support for PKCE, dynamic discovery (.well-known), client registration, and both front- and back-channel logout.

• Advanced OAuth/OIDC profiles: Offers support for FAPI 2.0, Pushed Authorization Requests (PAR), and Demonstrating Proof of Possession (DPoP), aligning with modern financial-grade and high-security use cases.

• Reverse-proxy integration: Protects applications hosted on or behind Apache by forwarding user claims and tokens through HTTP headers or environment variables (e.g., REMOTE_USER), making it easy for backend apps to consume identity data.

Limitations

• Not an IdP: Operates purely as an OIDC client and policy enforcement module. It does not issue tokens or replace an identity provider. Must be paired with an OP such as Microsoft Entra ID, Keycloak, Okta, or Auth0.

• Deprecated Resource Server mode: The internal OAuth resource server functionality was deprecated in version 2.4.0; organizations should migrate to mod_oauth2 for that role.

• Apache dependency: Requires a running Apache HTTPD instance and administrative control over its TLS, cookie, and session management configurations.

• No SCIM or governance: Focused solely on authentication and header injection—no user provisioning, SCIM interfaces, or identity governance features are included.