Skip to content

Single Page Applications

Jump to bottom Edit New page
Hans Zandbelt edited this page Feb 26, 2017 · 22 revisions

Currently available only in the "feature" branch as version 2.1.7rc0

For Single Page Applications (SPAs) and other Clients that require access to the access_token or other information related to an authenticated user session, mod_auth_openidc has the ability to return "session info" to the caller when a valid session cookie is presented on an HTTP request to the following endpoint:

<redirect_uri>?info=json

The session info is returned as a JSON object and the information returned in that is configurable through OIDCInfoHook:

# (Optional)
# Define the data that will be returned upon calling the info hook (i.e. <redirect_uri>?info=json)
#   iat (int)                  : Unix timestamp indicating when this data was created
#   access_token (string)      : the access token
#   access_token_expires (int) : the Unix timestamp which is a hint about when the access token will expire (as indicated by the OP)
#   id_token (object)          : the claims presented in the ID token
#   userinfo (object)          : the claims resolved from the UserInfo endpoint
#   refresh_token (string)     : the refresh token (if returned by the OP)
#   session (object)           : (for debugging) mod_auth_openidc specific session data such as "remote user", "session expiry", "session id" and a "state" object
# When not defined the session hook will not return any data but a HTTP 404
OIDCInfoHook [iat|access_token|access_token_expires|id_token|userinfo|refresh_token|session]+

Calling this hook will also reset the session inactivity timer.

Access Token Refresh

The Client calling the hook can indicate requirements on the "freshness" of the access_token by providing the parameter access_token_refresh_interval:

<redirect_uri>?info=json&access_token_refresh_interval=<seconds>

Providing a value of "0" will refresh the current access_token, but only when a refresh_token was provided as part of the initial authentication flow and was stored in the session.

Providing a value greater than "0" will not refresh the access token unless more than "<seconds>" have elapsed since the last refresh.

UserInfo Refresh

Note that the update frequency of the information returned from the UserInfo endpoint at the OpenID Connect Provider can be configured through the OIDCUserInfoRefreshInterval configuration primitive and that accessing that endpoint may in itself lead to a refresh of the access_token and possibly the refresh_token.

Advanced

Authorization

By default all Clients presenting an valid session cookie will receive the information configured in OIDCInfoHook. Further refinement of that can be done by using Require directives on the hook itself, i.e. the OIDCRedirectURI, e.g. restricting it to the module's Client identifier for a specific Provider when multiple Providers are used:

<Location /redirect_uri>
  AuthType openid-connect
  Require claim aud:ac_oic_client
</Location>

Or a more advanced example using the Apache 2.4 "<If>" primitive to apply fine-grained authorization only when the session info hook is called:

<Location /redirect_uri>
  <If "%{QUERY_STRING} =~ /.*info=json.*/" >
    Require claim aud:ac_oic_client
  </If>
  <Else>
    Require valid-user
  </Else>
</Location>
Add a custom footer
Add a custom sidebar

Clone this wiki locally