I have an Apache server using mod_auth_openidc. For one specific directory (the API), I'd like to allow bearer token authentication first with fallback to OpenID. Is that something I can accomplish with an .htaccess file in the API directory?
Desired behavior: - If a request is made in the API directory: - If an "Authorization: Bearer" header is set: - use bearer authentication - Otherwise: - use OpenID Connect - If a request is made in any other directory: - use OpenID Connect
The below can help instruct apache 2.4 to use the proper AuthType via a <LOCATION> block. I have not tested it in a .htaccess file, but the concept should work there too.
This "IF/ELSE" config has been solid so far. Any other apache configuration resulted in mixed results when api calls were nested within the web apps path.
This IF statement checks for a Authorization: Bearer HTTP header in the request and routes to the proper AuthType as processed. Add in your Require claim directives as recommended.
<Location "/APP">
<If "%{HTTP:Authorization} =~ m#^Bearer#i">
AuthType oauth20
Require claim aud:xxx
</If>
<Else>
AuthType openid-connect
Require claim client_id:xxx
</Else>
Require valid-user
</Location>
Also make sure your jwks endpoint directive is set on top of your original openidc provider configuration.
OIDCOAuthVerifyJwksUri https://{DOMAIN}/.well-known/jwks.json
You can use AuthType auth-openidc see: https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect