2

We are using Apache integration kit (modpf) for integrating web application with PingFederate as SP. We want to use PingFederate as OAuth server as well. Can we use same integration kit to validate access token generated by OAuth server? or are there any other libraries to do it?

One such library that I came across is mod_auth_openidc. Has anyone used it for validating access token?

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
Shashank
  • 249
  • 2
  • 13
  • This isn't a good "question" because it is more than one. It requires multiple if/then answers. – Andrew K. May 14 '15 at 12:04
  • I can answer the first question... The Apache Integration Kit does not do OAuth natively, and Ping doesn't offer such a tool. – Andrew K. May 14 '15 at 12:06

3 Answers3

3

You cannot use the Apache Integration Kit (OpenToken) to validate Oauth Tokens. They are completely different token types and formats.

However, Hans Zandbelt (from Ping Identity) actually wrote the mod_auth_openidc you link to and per its description, it does the following:

"It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server."

mod_auth_openidc can also be used to provide SSO for Apache websites based on OpenID Connect, and thus substitute the mod_pf module that that provides SSO based on the OpenToken format and protocol. A sample configuration doing both:

OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration

OIDCSSLValidateServer Off
OIDCClientID ac_oic_client
OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication

OIDCRedirectURI https://localhost/example/redirect_uri/
OIDCCryptoPassphrase <password>

OIDCOAuthIntrospectionEndpoint https://localhost:9031/as/token.oauth2
OIDCOAuthIntrospectionEndpointParams grant_type=urn%3Apingidentity.com%3Aoauth2%3Agrant_type%3Avalidate_bearer
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthRemoteUserClaim Username

OIDCOAuthSSLValidateServer Off
OIDCOAuthClientID rs_client
OIDCOAuthClientSecret 2Federate

<Location /example/>
   AuthType openid-connect
   Require valid-user
</Location>

<Location /api>
   AuthType oauth20
   Require claim scope~\bprofile\b
</Location>
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
Ian
  • 4,227
  • 18
  • 19
2

You may want to look at PingAccess for this need. It works alongside PingFederate to handle both browser SSO and OAuth access token validation use cases which may simplify your deployment.

It has benefits over an Apache module in that it allows for centralized administration of access control polices and centralized logout across different applications, which is a typical requirement in an enterprise environment.

Scott T.
  • 6,152
  • 1
  • 26
  • 32
1

For your question "Are there any other libraries to do it?". I take this to mean, is there anything else beyond mod_auth_openidc. There is another option. OAuth is a RESTful service to the PingFederate OAuth Authorization Server (OAS). If all you desire to do is validate the incoming Access Token, then you create a REST API call to the PingFederate OAS to validate the token. Within PingFederate you would need to configure an OAuth client for validation. You could integrate cURL within your application for the REST client and then call the PingFederate OAS. You would have to process the response based on your application or service requirements.

Eric U.
  • 356
  • 1
  • 3