When the "Satisfy Any" directive f***s your openID Connect conf file

Suppose you are using the apache mod auth_openidc_module for your openID Connect authentication. Be careful how you set up your location directive:

OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback
        OIDCCryptoPassphrase <password>
        OIDCScope "openid email"

        <location>
          AuthType openid-connect
          require valid-user
          Require claim hd:YOURDOMAIN.com

          Allow from SOME IP ADDRESS
          Satisfy any
       </location>
      
This part of the conf file is supposed to mean that you are using authentication via openID Connect at the top level of the website. It also whitelists requests from a specific IP address, which allows them to bypass openID. But it won't work this way. You'll find that the Satisfy Any suddenly allows you access from any IP Address without authentication. The solution is to have a default DENY directive:
OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback
        OIDCCryptoPassphrase <password>
        OIDCScope "openid email"

        <location>
          Order deny,allow
          Deny from all

          AuthType openid-connect
          require valid-user
          Require claim hd:YOURDOMAIN.com

          Allow from SOME IP ADDRESS
          Satisfy any
       </location>