Suppose you are using the apache mod auth_openidc_module for your openID Connect authentication. Be careful how you set up your location directive:
OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback
OIDCCryptoPassphrase <password>
OIDCScope "openid email"
<location>
AuthType openid-connect
require valid-user
Require claim hd:YOURDOMAIN.com
Allow from SOME IP ADDRESS
Satisfy any
</location>
This part of the conf file is supposed to mean that you are using authentication via openID Connect at the top level of the website. It also whitelists requests from a specific IP address, which allows them to bypass openID. But it won't work this way. You'll find that the Satisfy Any suddenly allows you access from any IP Address without authentication. The solution is to have a default DENY directive:
OIDCRedirectURI https://www.YOURDOMAIN.com/oauth2callback
OIDCCryptoPassphrase <password>
OIDCScope "openid email"
<location>
Order deny,allow
Deny from all
AuthType openid-connect
require valid-user
Require claim hd:YOURDOMAIN.com
Allow from SOME IP ADDRESS
Satisfy any
</location>
No comments:
Post a Comment