Ok thanks André and Luis for your helps and feedbacks. -------- Message initial -------- De: André Warnier (tomcat/perl) <a...@ice-sa.com> Répondre à: Tomcat Users List <users@tomcat.apache.org> À: users@tomcat.apache.org Objet: Re: OpenId with apache and tomcat Date: Fri, 13 Mar 2020 23:47:08 +0100
On 13.03.2020 17:53, Stephane Passignat wrote: Hi, Actually I have Apache2 operating as proxy and authenticate layer (HTTPForm and HTTP Basic), in front of several Tomcat instances and webapps.Apache pushes the userId to tomcat through AJP.On tomcat side, the webapp has a Basic login-module in web.xml. I'm quite satisfied of the result, authentication and authorization areout of the application scope. The deployment and maintenance ofapplication is super easy. The sensitive maintenance of authenticationis made by a dedicated team... I wish to improve that adding OpenId Authentication, keeping apache asauthentication layer with an openid connector, but the one I sawdoesn't seems to be used a lot and is not available as precompiled formy os... Actually, mod_auth_openidc (which I have not used myself), available from(https://github.com/zmartzone/mod_auth_openidc)at least on the face of it, seems to be fairly complete, well-documented (with examples), supported, and regularly worked on. Considering your current architecture, and considering that OpenID itself (like anything to do with OAuth) is quite a nightmare in terms of readable and understandable-by-common-mortals documentation, I would think that you might save yourself a lot of time by trying it out.It seems to have its own help forums too, which may help in terms of obtaining or creating the appropriate binaries. I'm looking also at moving authentication at tomcat level with anopenid Realm. It's not ideal because of the large number ofapplications are servers do impact and network configuration to change, Exactly, see above.I think that mod_auth_openidc would fit right in (and along) with your existing form and Basic authentication in Apache httpd. And you would not have to change anything at the Tomcat or applications level. Just make sure to properly secure your AJP connections.(see quite a few discussions on that topic in the last month, in the archives of this list) ... Does someone have experience in this architecture ? Do you have somerecommendation for Apache Module or Tomcat Realm to use ? Make sure that you know exactly what *version* of OpenID you need.As far as I know, the current version is "OpenID Connect", and anything else is obsolete and even worse in terms of documentation. ThanksStephane ---------------------------------------------------------------------To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.orgFor additional commands, e-mail: users-h...@tomcat.apache.org