/etc/apache2/mods-available/auth_openidc.conf is in libapache2-mod-auth-openidc 1.8.5-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 | ########################################################################################
#
# Common Settings
#
########################################################################################
# (Mandatory)
# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.
#OIDCRedirectURI https://www.example.com/protected/redirect_uri
# (Mandatory)
# Set a password for crypto purposes, used in state and (optionally) by-value session cookies.
#OIDCCryptoPassphrase <passphrase>
# (Optional)
# Define the cookie path for the "state" and "session" cookies.
# When not defined the default is a server-wide "/".
#OIDCCookiePath <cookie-path>
# (Optional)
# Specify the domain for which the "state" and "session" cookies will be set.
# This must match the OIDCRedirectURI and the URL on which you host your protected
# application. When not defined the default is the server name.
#OIDCCookieDomain <cookie-domain>
# (Optional)
# When using multiple OpenID Connect Providers, possibly combined with Dynamic Client
# Registration and account-based OP Discovery.
# Specifies the directory that holds metadata files (must be writable for the Apache process/user).
# When not specified, it is assumed that we use a single statically configured provider as
# described under the section "OpenID Connect Provider" below, most likely using OIDCProviderMetadataURL.
#OIDCMetadataDir /var/cache/apache2/mod_auth_openidc/metadata
########################################################################################
#
# (Optional)
#
# OpenID Connect Provider
#
# For configuration of a single static provider not using OpenID Connect Provider Discovery.
#
########################################################################################
# URL where OpenID Connect Provider metadata can be found (e.g. https://accounts.google.com/.well-known/openid-configuration)
# The obtained metadata will be cached and refreshed every 24 hours.
# If set, individual entries below will not have to be configured but can be used to add
# extra entries/endpoints to settings obtained from the metadata.
# If not set, the entries below will have to be configured for a single static OP configuration
# or OIDCMetadataDir will have to be set for configuration of multiple OPs.
#OIDCProviderMetadataURL <url>
# OpenID Connect Provider issuer identifier (e.g. https://localhost:9031 or accounts.google.com)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderIssuer <issuer>
# OpenID Connect Provider Authorization Endpoint URL (e.g. https://localhost:9031/as/authorization.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderAuthorizationEndpoint <authorization_endpoint>
# OpenID Connect Provider JWKS URL (e.g. https://localhost:9031/pf/JWKS)
# i.e. the URL on which the signing keys for this OP are hosted, in JWK formatting
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderJwksUri <jwks_url>
# (Optional)
# OpenID Connect Provider Token Endpoint URL (e.g. https://localhost:9031/as/token.oauth2)
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderTokenEndpoint <token_endpoint>
# (Optional)
# Authentication method for the OpenID Connect Provider Token Endpoint.
# One of "client_secret_basic" or "client_secret_post".
# When not defined the default method from the specification is used, i.e. "client_secret_basic".
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderTokenEndpointAuth <token_auth_method>
# (Optional)
# Extra parameters that need to be passed in the POST request to the Token Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: token_endpoint_params
#OIDCProviderTokenEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]*
# (Optional)
# OpenID Connect Provider UserInfo Endpoint URL (e.g. https://localhost:9031/idp/userinfo.openid)
# When not defined no claims will be resolved from such endpoint.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderUserInfoEndpoint <user_info_endpoint>
# (Optional)
# OpenID OP Check Session iFrame URL, for Session Management purposes.
# When not defined, no Session Management will be applied.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderCheckSessionIFrame <url>
# (Optional)
# OpenID OP End Session Endpoint URL, for Single Logout (Session Management) purposes.
# When not defined, no logout to the OP will be performed.
# Used when OIDCProviderMetadataURL is not defined or the metadata obtained from that URL does not set it.
#OIDCProviderEndSessionEndpoint <url>
# (Optional)
# Extra JSON parameters that need to be passed in the registration request to the Registration Endpoint.
# This settings serves as a default value for multiple OPs only.
# Parameter names and values need to be provided in JSON form and will be merged in to the request.
# When not defined no extra parameters will be passed.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: registration_endpoint_params
#OIDCProviderRegistrationEndpointJson <json-string>
########################################################################################
#
# (Optional)
#
# OpenID Connect Client
#
# Settings used by the client in communication with the OpenID Connect Provider(s),
# i.e. in Authorization Requests, Dynamic Client Registration and UserInfo Endpoint access.
# These settings are used when a single static provider is configured and serve as defaults
# when multiple providers are configured.
#
########################################################################################
# (Optional)
# Require a valid SSL server certificate when communicating with the OP.
# (i.e. on token endpoint, UserInfo endpoint and Dynamic Client Registration endpoint)
# When not defined, the default value is "On".
# NB: this can be overridden on a per-OP basis in the .conf file using the key: ssl_validate_server
#OIDCSSLValidateServer [On|Off]
# (Optional)
# The response type (or OpenID Connect Flow) used (this serves as default value for discovered OPs too)
# When not defined the "code" response type is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_type
#OIDCResponseType ["code"|"id_token"|"id_token token"|"code id_token"|"code token"|"code id_token token"]
# (Optional)
# The response mode used (this serves as default value for discovered OPs too)
# When not defined the default response mode for the requested flow (OIDCResponseType) is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: response_mode
#OIDCResponseMode ["fragment"|"query"|"form_post"]
# (Optional)
# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client identifier used in calls to the statically configured OpenID Connect Provider.
#OIDCClientID <client_id>
# (Optional)
# Only used for a single static provider has been configured, see below in OpenID Connect Provider.
# Client secret used in calls to the statically configured OpenID Connect Provider.
# (not used/required in the Implicit Client Profile, i.e. when OIDCResponseType is "id_token")
#OIDCClientSecret <client_secret>
# (Optional)
# The client name that the client registers in dynamic registration with the OP.
# When not defined, no client name will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_name
#OIDCClientName <client_name>
# (Optional)
# The contacts that the client registers in dynamic registration with the OP.
# Must be formatted as e-mail addresses by specification.
# Single value only; when not defined, no contact e-mail address will be sent with the registration request.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_contact
#OIDCClientContact <contact>
# (Optional)
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
# When not defined, the bare minimal scope "openid" is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: scope
#OIDCScope <scope(s)-separated-by-spaces>
########################################################################################
#
# (Optional)
#
# OAuth 2.0 Resource Server Settings
#
# Used when this module functions as a Resource Server against an OAuth 2.0 Authorization
# Server, introspecting/validating bearer Access Tokens.
#
########################################################################################
# (Optional)
# Client identifier used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientID <client_id>
# (Optional)
# Client secret used in token introspection calls to the OAuth 2.0 Authorization server.
#OIDCOAuthClientSecret <client_secret>
# (Mandatory when introspecting opaque access tokens, Optional when performing local JWT access token validation)
# OAuth 2.0 Authorization Server token introspection endpoint (e.g. https://localhost:9031/as/token.oauth2)
#OIDCOAuthIntrospectionEndpoint <token-introspection-endpoint>
# (Optional)
# Define the HTTP method to use for the introspection call. Must be GET or POST.
# When not defined the default is POST.
#OIDCOAuthIntrospectionEndpointMethod [GET|POST]
# (Optional)
# Extra parameters that need to be passed in the POST request to the Introspection Endpoint.
# Parameter names and values need to be provided in URL-encoded form.
# When not defined no extra parameters will be passed.
#OIDCOAuthIntrospectionEndpointParams <urlencoded-name1>=<urlencoded-value1>[&<urlencoded-nameN>=<urlencoded-valueN>]*
# (Optional)
# Authentication method for the OAuth 2.0 Authorization Server introspection endpoint,
# Must be either "client_secret_basic" or "client_secret_post; when not defined "client_secret_basic" is used.
#OIDCOAuthIntrospectionEndpointAuth [client_secret_basic|client_secret_post]
# (Optional)
# Name of the parameter whose value carries the access token value in an validation request to the token introspection endpoint.
# When not defined the default "token" is used.
#OIDCOAuthIntrospectionTokenParamName <param_name>
# (Optional)
# Defines the name of the claim that contains the token expiry timestamp, whether it is absolute (seconds since
# 1970), relative (seconds from now after which the token will expire), and whether it is optional.
# If the claim is optional and not found in the response, the introspection result will not be cached.
# (which means that the overall performance may suffer)
#
# Only applies when the "active" claim is not found in the introspection response, which is interpreted as
# an introspection method that does not conform to draft-ietf-oauth-introspection, but is custom.
#
# When not defined the default "expires_in" is used, the expiry is "relative" and mandatory, matching
# Google and PingFederate's introspection behavior.
#OIDCOAuthTokenExpiryClaim <claim-name> [absolute|relative] [mandatory|optional]
# (Optional)
# Require a valid SSL server certificate when communicating with the Authorization Server
# on the token introspection endpoint. When not defined, the default value is "On".
#OIDCOAuthSSLValidateServer [On|Off]
# (Optional)
# The symmetric shared key(s) that can be used for local JWT access token validation.
# NB: this is one or more plain secret(s), so NOT hex or base64 encoded.
# When not defined, no access token validation with shared keys will be performed.
#OIDCOAuthVerifySharedKeys [<secret>+]
# (Optional)
# The fully qualified names of the files that contain the X.509 certificates with the RSA public
# keys that can be used for local JWT access token verification.
# When not defined, no access token validation with statically configured certificates will be performed.
#OIDCOAuthVerifyCertFiles [<filename>+]
# (Optional)
# The JWKs URL on which the Authorization publishes the keys used to sign its JWT access tokens.
# When not defined local validation of JWTs can still be done using statically configured keys,
# by setting OIDCOAuthVerifyCertFiles and/or OIDCOAuthVerifySharedKeys.
#OIDCOAuthVerifyJwksUri <jwks_url>
# (Optional)
# The claim that is used when setting the REMOTE_USER variable on OAuth 2.0 protected paths.
# When not defined the default "sub" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# claim value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#OIDCOAuthRemoteUserClaim <claim-name> [<regular-expression>]
########################################################################################
#
# (Optional)
#
# Cache Settings
#
########################################################################################
# (Optional)
# Cache type, used for temporary storage that is shared across Apache processes/servers for:
# a) session state
# b) nonce values to prevent replay attacks
# c) validated OAuth 2.0 tokens
# d) JWK sets that have been retrieved from jwk_uri's
# e) resolved OP metadata when using OIDCProviderMetadataUrl
# f) JWT ID claims (jti) when using OP-init-SSO
# must be one of \"shm\", \"memcache\", \"file\" or, if Redis support is compiled in, \"redis\"
# When not defined, "shm" (shared memory) is used.
#OIDCCacheType [shm|memcache|file[|redis]]
# (Optional)
# When using OIDCCacheType "shm":
# Specifies the maximum number of name/value pair entries that can be cached.
# When caching a large number of entries the cache size limit may be reached and the
# least recently used entry will be overwritten. If this happens within 1 hour,
# errors will be displayed in the error.log and the OIDCCacheShmMax value may be increased.
# When not specified, a default of 500 entries is used.
# OIDCCacheShmMax <number>
# (Optional)
# When using OIDCCacheType "shm":
# Specifies the maximum size for a single cache entry in bytes with a minimum of 8464 bytes.
# When caching large values such as numbers of attributes in a session or large metadata documents the
# entry size limit may be overrun, in which case errors will be displayed in the error.log
# and the OIDCCacheShmEntrySizeMax value has to be increased.
# When not specified, a default entry size of 16913 bytes (16384 value + 512 key + 17 overhead) is used.
# OIDCCacheShmEntrySizeMax <bytes>
# (Optional)
# When using OIDCCacheType "file":
# Directory that holds cache files; must be writable for the Apache process/user.
# When not specified a system defined temporary directory (/tmp) will be used.
#OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache
# (Optional)
# When using OIDCCacheType "file":
# Cache file clean interval in seconds (only triggered on writes).
# When not specified a default of 60 seconds is used.
# OIDCCacheFileCleanInterval <seconds>
# (Optional)
# Required when using OIDCCacheType "memcache":
# Specifies the memcache servers used for caching as a space separated list of <hostname>[:<port>] tuples.
#OIDCMemCacheServers "(<hostname>[:<port>])+"
# (Optional)
# Required if Redis support is compiled in and when using OIDCCacheType "redis":
# Specifies the Redis server used for caching as a <hostname>[:<port>] tuple.
#OIDCRedisCacheServer <hostname>[:<port>]
# (Optional)
# Password to be used if the Redis server requires authentication: http://redis.io/commands/auth
# When not specified, no authentication is performed.
#OIDCRedisCachePassword <password>
########################################################################################
#
# (Optional)
#
# Advanced Settings
#
########################################################################################
# (Optional)
# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
#OIDCSessionInactivityTimeout <seconds>
# (Optional)
# Defines an external OP Discovery page. That page will be called with:
# <discovery-url>?target_link_uri=<target-url>&oidc_callback=<callback-url>
#
# An Issuer selection can be passed back to the callback URL as in:
# <callback-url>?target_link_uri=<target-url>&iss=[${issuer}|${domain}|${e-mail-style-account-name}][&login_hint=<login-hint>][&auth_request_params=<params>]
# where the <iss> parameter contains the URL-encoded issuer value of
# the selected Provider, or a URL-encoded account name for OpenID
# Connect Discovery purposes (aka. e-mail style identifier), or a domain name.
#
# When not defined the bare-bones internal OP Discovery page is used.
#OIDCDiscoverURL <discovery-url>
# (Optional)
# Defines a default URL to be used in case of 3rd-party or OP initiated
# SSO when no explicit target_link_uri has been provided. The user is also
# sent to this URL is in case an invalid authorization response was received.
# When not defined, 3rd-party SSO must be done with a specified \"target_link_uri\" parameter.
#OIDCDefaultURL <default-url>
# (Optional)
# Defines a default URL where the user is sent to after logout, which may be overridden explicitly during logout.
# When not defined and no URL was passed explicitly, a default internal page will be shown.
#OIDCDefaultLoggedOutURL <url>
# (Optional)
# Extra parameters that will be sent along with the Authorization Request.
# These must be URL-query-encoded as in: "display=popup&prompt=consent" or
# specific for Google's implementation: "approval_prompt=force".
# This is used against a statically configured (single) OP or serves as the default for discovered OPs.
# As an alternative to this option, one may choose to add the parameters as
# part of the URL set in OIDCProviderAuthorizationEndpoint or "authorization_endpoint"
# in the .provider metadata (though that would not work with Discovery OPs).
# The default is to not add extra parameters.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: auth_request_params
#OIDCAuthRequestParams <query-encoded-string>
# (Optional)
# The fully qualified names of the files that contain the PEM-formatted X.509 certificates
# that contain the RSA public keys to be used for JWT (OP state/id_token) encryption by the OP.
# These keys must correspond to the private keys defined in OIDCPrivateKeyFiles.
# When not defined no encryption will be requested.
#OIDCPublicKeyFiles [<filename>+]
# (Optional)
# The fully qualified names of the files that contain the PEM-formatted RSA private
# keys that can be used to decrypt content sent to us by the OP.
# These keys must correspond to the public keys defined in OIDCPublicKeyFiles.
# When not defined no decryption will be possible.
#OIDCPrivateKeyFiles [<filename>+]
# (Optional)
# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be
# used during client registration to point to the JWK set with public keys for this client.
# If not defined the default <redirect_uri>?jwks=rsa will be used, on which a JWK set
# is automatically published based on the OIDCPublicKeyFiles setting so normally you don't
# need to touch this unless this client is on a (test) host that is not reachable from the internet.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: client_jwks_uri
#OIDCClientJwksUri <url>
# (Optional)
# The algorithm that the OP should use to sign the id_token (used only in dynamic client registration)
# When not defined the default that the OP should use by spec is RS256.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_signed_response_alg
#OIDCIDTokenSignedResponseAlg [RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]
# (Optional)
# The algorithm that the OP should use to encrypt the Content Encryption Key that is
# used to encrypt the id_token (used only in dynamic client registration)
# When not defined the default (by spec) is that the OP does not encrypt the id_token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_alg
#OIDCIDTokenEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]
# (Optional)
# The algorithm that the OP should use to encrypt to the id_token with the
# Content Encryption Key (used only in dynamic client registration)
# If OIDCIDTokenEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCIDTokenEncryptedResponseEnc is included, OIDCIDTokenEncryptedResponseAlg MUST also be provided.
# (????GCM algorithms only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: id_token_encrypted_response_enc
#OIDCIDTokenEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A128GCM|A192GCM|A256GCM]
# (Optional)
# The algorithm that the OP should use to sign the UserInfo response
# (used only in dynamic client registration)
# When not defined the default (by spec) is that the OP does not sign the response.
# (ES??? algorithms only supported when using OpenSSL >= 1.0)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_signed_response_alg
#OIDCUserInfoSignedResponseAlg RS256|RS384|RS512|PS256|PS384|PS512|HS256|HS384|HS512|ES256|ES384|ES512]
# (Optional)
# The algorithm that the OP should use to encrypt the Content Encryption Key that is
# used to encrypt the UserInfo response (used only in dynamic client registration)
# When not defined the default (by spec) is that the OP does not encrypt the response.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_alg
#OIDCUserInfoEncryptedResponseAlg [RSA1_5|A128KW|A256KW|RSA-OAEP]
# (Optional)
# The algorithm that the OP should use to encrypt to encrypt the UserInfo response with
# the Content Encryption Key (used only in dynamic client registration)
# If OIDCUserInfoEncryptedResponseAlg is specified, the default for this value is A128CBC-HS256.
# When OIDCUserInfoEncryptedResponseEnc is included, OIDCUserInfoEncryptedResponseAlg MUST also be provided.
# (????GCM algorithms only supported when using OpenSSL >= 1.0.1)
# NB: this can be overridden on a per-OP basis in the .conf file using the key: userinfo_encrypted_response_enc
#OIDCUserInfoEncryptedResponseEnc [A128CBC-HS256|A256CBC-HS512|A128GCM|A192GCM|A256GCM]
# (Optional)
# The refresh interval in seconds for the JWKs key set obtained from the jwk_uri.
# When not defined the default is 3600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: jwks_refresh_interval
#OIDCJWKSRefreshInterval <seconds>
# (Optional)
# Acceptable offset (before and after) for checking the \"iat\" (= issued at) timestamp in the id_token.
# When not defined the default is 600 seconds.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: idtoken_iat_slack
#OIDCIDTokenIatSlack <seconds>
# (Optional)
# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
#OIDCSessionMaxDuration <seconds>
# (Optional)
# Define the cookie name for the session cookie.
# When not defined the default is "mod_auth_openidc_session".
#OIDCCookie <cookie-name>
# (Optional)
# Defines whether the HttpOnly flag will be set on cookies.
# When not defined the default is On.
#OIDCCookieHTTPOnly [On|Off]
# (Optional)
# The prefix to use when setting claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# When not defined, the default "OIDC_CLAIM_" is used.
#OIDCClaimPrefix <prefix>
# (Optional)
# The delimiter to use when setting multi-valued claims (openid-connect or oauth20) in the HTTP headers/environment variables.
# When not defined the default "," is used.
#OIDCClaimDelimiter <char>
# (Optional)
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
# If the claim name is postfixed with a \"@\", the claim value will be post-fixed with the
# \"iss\" value value (with leading "https://" stripped) to make this value unique across different OPs.
# When not defined the default "sub@" is used.
#
# An optional regular expression can be added as a 2nd parameter that will be applied to the
# resulting value from the 1st parameter and the first match returned from that expression will
# be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you'd use ^(.*)@
#OIDCRemoteUserClaim <claim-name>[@] [<regular-expression>]
# (Optional)
# Define the way(s) in which the id_token contents are passed to the application. Must be one or several of:
# "claims" : the claims in the id_token are passed in individual headers/environment variables
# "payload" : the payload of the id_token is passed as a JSON object in the "OIDC_id_token_payload" header/environment variable
# "serialized" : the complete id_token is passed in compact serialized format in the "OIDC_id_token" header/environment variable
# When not defined the default "claims" is used.
#OIDCPassIDTokenAs [claims|payload|serialized]+
# (Optional)
# Define the way in which the claims are passed to the application environment:
# "none": no claims are passed
# "environment": claims are passed as environment variables
# "headers": claims are passed in headers (also useful in reverse proxy scenario's)
# "both": claims are passed as both headers as well as environment variables (default)
# When not defined the default is "both"
#OIDCPassClaimsAs [none|headers|environment|both]
# (Optional)
# Specify the HTTP header variable name to set with the name of the authenticated user,
# i.e. copy what is set in REMOTE_USER and configured in OIDCRemoteUserClaim.
# When not defined no such header is added.
# This setting can be configured for both the "openid-connect" and "oauth20" AuthType on
# a server-wide or directory level.
#OIDCAuthNHeader <header-name>
# (Optional)
# Timeout in seconds for long duration HTTP calls. This is used for most requests to remote endpoints/servers.
# When not defined the default of 60 seconds is used.
#OIDCHTTPTimeoutLong <seconds>
# (Optional)
# Timeout in seconds for short duration HTTP calls; used for Client Registration and OP Discovery requests.
# When not defined the default of 5 seconds is used.
#OIDCHTTPTimeoutShort <seconds>
# (Optional)
# Time to live in seconds for state parameter i.e. the interval in which the authorization request
# and the corresponding response need to be processed. When not defined the default of 300 seconds is used.
#OIDCStateTimeout <seconds>
# (Optional)
# OpenID Connect session storage type.
# "server-cache" server-side caching storage.
# "client-cookie" uses browser-side sessions stored in a cookie.
# Note that due to cookie size limitations on most web browsers (usually 4096 bytes), "client-cookie" will
# not work if the resulting session data is too long, which depends on the scope of information you request.
# When not defined the default "server-cache" is used.
#OIDCSessionType [server-cache|client-cookie]
# (Optional)
# Scrub user name and claim headers (as configured above) from the user's request.
# The default is "On"; use "Off" only for testing and debugging because it renders your system insecure.
#OIDCScrubRequestHeaders [On|Off]
# (Optional)
# Specify an outgoing proxy for your network.
# When not defined no outgoing proxy is used.
#OIDCOutgoingProxy <host>[:<port>]
# (Optional)
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
# When not defined the default "auth" is used.
#OIDCUnAuthAction [auth|pass|401]
# (Optional)
# Specify the names of cookies to pickup from the browser and send along on backchannel
# calls to the OP and AS endpoints. This can be used for load-balancing purposes.
# When not defined, no such cookies are sent.
#OIDCPassCookies [<cookie-name>]+
|