Question 1

How to configure mod_auth_openidc with Keycloak?

Accepted Answer

The README links to a Keycloak-specific wiki page, which guides setting OIDCProviderMetadataURL to Keycloak's discovery endpoint and registering the client redirect URI. Ensure Keycloak is configured with a public client or confidential client as needed.

Question 2

mod_auth_openidc vs OAuth2 proxy?

Accepted Answer

mod_auth_openidc is an Apache module for OpenID Connect with certification and fine-grained authorization, while OAuth2 proxy is a standalone reverse proxy for OAuth2. Choose mod_auth_openidc for Apache-integrated, standards-based SSO; OAuth2 proxy for multi-server or non-Apache environments.

Question 3

How to handle session logout with mod_auth_openidc?

Accepted Answer

It supports OpenID Connect session management and front/back-channel logout specs; configure OIDCSessionManagement and OIDCLogoutURI directives as per the wiki to ensure proper session termination across providers.

Question 4

Does mod_auth_openidc support JWT validation for custom claims?

Accepted Answer

Yes, it validates ID tokens per OpenID Connect standards and passes claims via HTTP headers or environment variables. Use Require claim directives for authorization, but complex claim manipulation may require additional Apache modules.

Question 5

What cache backends are free vs commercial?

Accepted Answer

Open-source version supports basic backends like file and memcache; advanced Redis features such as TLS, Sentinel, and Cluster require a commercial license, as noted in the Support section of the README.

Question 6

How to set up multiple identity providers?

Accepted Answer

Configure multiple OIDCProviderMetadataURL entries and use OIDCDiscoverURL or location-based directives; the wiki provides examples for scenarios like multi-tenant or federated authentication setups.

mod_auth_openidc

What is mod_auth_openidc?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions